UPDATED: AOL Added To ORBS List - At Their Request

A couple of people have sent us the word that AOL has managed to get itself added into the ORBS list for having open mail relays. Let's hope this inclusion makes them clean it up a little bit more. You can check the full database to see other servers in there. I've talked with the folks at AOL - the two servers that were added were at their request, so that no one would take advantage of them. More info in a bit. Update: 03/29 03:20 by E : Read more below; we got E-mail from Scott Crain, AOL's 'Spamdinista.'

Scott Crain, AOL 'Spamdinista,' wrote in with an update, and to make what's going on crystal clear.

There are two machines that have been added to ORBS on AOL's networks, at my request. The two machines are a new system in place to allow us to keep spammers from using outbound SMTP connections to spam the rest of the net with junk. Alan Brown, the maintainer of ORBS and I correspond frequently on a couple mailing lists we both frequent, and he asked if it would be ok if I had him place these two machines in ORBS, to which I agreed.

Basically, the two machines that are there are the external gateway for a percentage of AOL members using their TCP connectivity to send mail out of AOL without using the AOL client. It's no different than blocking AOL's dialup IP's (*.ipt.aol.com) as the MAPS DUL does currently.

In other words, this is a good thing. I'm sure I'm not the only one who doesn't like spam from AOL, and this looks like a step in the right direction.

Re:Most mail problems

[Anonymous Coward]

I find it both funny and maddening. I have had
a dial-up mail server for ages now, it is as locked down secure as I can make it yet according to the MAPS DUL I dont have the legitmate right to
run my own mail server because I am just a lowly
dial-up.

"We have not found a legitimate reason for dial-up
users to talk directly to recipients' mail servers"

The reason might be because I can and dont spam. If I relay thru the ISP I will lose my domain name
and heve to put in alot of header re-write rules.
My domain is hosted elsewhere for free but no
mail services other than forwarding. This is just
not well thought thru.

My ISP doesnt have a policy against this
so it is not unauthorized I pull in the mail thru
the ISP's pop. I hate spam as much as anybody but
that is a real snobby statement especially if
your ISP's server may suck periodically.
I dont put a load on their dial-up router and
they leave me alone.

And of course the real issue is that more and
more people are dialing in and want to run all
their services themselves. With the advent of
IPv6 everyone will have a fixed IP. The trend
then will be toward de-centralizing services and
educated, responsible customers actually can take
the load of the ISP's central mail server.

I worked at an ISP once and we tried MAPS RBL
but it was too exclusionary and like all these
efforts needs to be a lot more specific. And I
have heard all the ORBS nightmares as well.

Re:AOL on ORBS list

[Anonymous Coward]

> I don't use ORBS, since I find it too aggressive.

My ISP found ORBS to be very aggressive. I spoke with them to find out why they are on the ORBS list of [orbs.org]
Netblock Entries (aka "the Bozos List") .

The fact is that my ISP protested the unsolicited scanning of their networks from an outside source, white hat or not. And the scan was also hitting customer dialups. My ISP secured their sendmails, and told ORBS to kiss off and stop probing their networks.

I really don't blame them. A "white hat" service should not be as intrusive as ORBS.

Re:Can anyone explain something to me?

[whoop]

Check all the headers of your message. Often SMTP servers will report what IP address you connected from. So it may have something like "Received: from silverlight.net (123.45.67.89)..." They could then do a lookup on that IP and see you connected to silverlight's server from an AOL IP.

Just a guess.

RBL abuse

[mosch]

Document it. What company? When did this happen? Who added it? Evidence, dear watson. Every entry in the RBL is documented from their side. I tend to trust that unless presented with facts, not a vague story. Are you *sure* you're even referring to the RBL? after all, that's offtopic, we're talking about ORBS.
----------------------------

Re:Well, the UDP worked on @Home...

[Cardinal]

Ah.. Well that's depressing. (Curious, this news didn't come back to Slashdot as far as I can remember..)

I do recall @Home cracking down on their customers. For years, I used a friend's cable modem box for mail and a mush, and we noticed @Home mass portscanning their customers on port 80. Not long after that he got a nastygram to cease and desist or be disconnected. So we moved everything to a safer system in record time. For the record, we had been running several daemons off that cable box for four years before @Home bothered to notice.

Re:Don't overreact: they're harmless

[kju]

Yes, they give you one month of time. But as they
blacklist smarthosts of open relays too, this can be much to less time.

ORBS had half of germany scanned last year, and some major ISPs turned out with 200+ open relays. Now all of this relays are under control of the customers, so you need time to find out what MTA they run, how to fix it, even explain the problem to them.

If you try to tell ORBS that you are working on it and need more time, they simply tell you, "Duh, you have plenty of time, we don't care how long your work days are". This and the fact that ORBS is lying (they tell that they won't scan blocks and won't use data which were likely get out of such scans) makes them unreliably and not a source to trust in.

Block ORBS.

Most mail problems

[drwiii]

Most mail abuse problems can be solved by dial-up based providers blocking access for their users to port 25 for anything outside of their network, thus ensuring that the mail has to (theoretically) come through their local mail servers.

Re:I hope this is true

[jbrw]

Didn't screaming.net do the 0800 number thing long before AOL started their (similar) deal?

Whatever - much kudos to AOL UK for being extremely vocal in their dislike of the UK telco charging structures.

..

Well done.

[James Renken]

I've noticed a lot of multiple-step spam coming out of AOL recently, and wondered why it was worse than usual - now I know. :) This won't help me a great deal, since I don't use ORBS, but it's good to see them taking action. I think that the MAPS RSS would list the open servers, though, if they were reported.

For spam filtering at my site, I use two services: the MAPS RBL, which lists the IP address blocks of repeat and unrepentant spammers, and the MAPS RSS, which lists any still-open relays that have been spammed through.

MAPS RSS is different from ORBS in that spam must have been sent through a server at least once for it to be listed - you won't get listed in the RSS if you just block relay tests from them. ORBS is somewhat less "polite," and I don't use them because of the larger number of false-positive spam-blocks.

I'd use the MAPS DUL, which is a list of IPs used for modem pools (which should always be using their ISP's SMTP servers), but I can't get Sendmail to allow relaying from DUL-blocked IPs that should be otherwise allowed to relay through me (customers of mine using DRAC POP-before-SMTP). Anyone?

More information on MAPS services is available at http://www.mail-abuse.org/ [mail-abuse.org] (not affiliated, etc.).

Re:AOL's "spam problem"

[Stephan Schulz]

Spam actually, really, from AOL accounts, or spam with "@aol.com" forged into the headers?

How much spam do you get per user? How does this compare to other ISP's?

I have observed three different phases. First, a lot of spam came from AOL throwaway-accounts. This never quite stopped, but came down to a dribble. After that, very many spammers faked AOL from-addresses. However, in the last couple of days I got a lot of spam from users with what looks like dynamically allocated AOL IP-addresses. I suspect that this new wave of spam triggered ORB.

In the last two weeks, I got some spam via an open relay in Spain, some via some obscure mail servers in China, and about 50% via AOL. I have no idea about the number of users in China (1.2 billion? *grin*) or using the Spanish ISP (actually, it was a bank), but AOL certainly is one of the major spam sources at the moment.

I expect AOL to improve fast - while their user base still sucks, they did get a quite good support team.

Re:AOL on ORBS list

[kdoherty]

One thing that makes me slightly suspicious about this is that ORBS not only blacklists open relays, but it blacklists any intermediate mail servers. So if you run a mail server that allows customers to smart host through you, and they happen to be open relays, you get listed in ORBS. Your server isn't an open relay in and of itself and only acquires that quality through a clueless customer, and whether or not your customer smarthosted or not, they'd be the ones with the open relay.

It's quite possible that AOL is completely irresponsible here and has an open relay and ORBS could be completely right, but I think some caution is due here before throwing down on AOL (which a vast majority of the posters here seem to be doing without knowing anything about mail transport or mail blackhole lists).
--
Kevin Doherty
kdoherty+slashdot@jurai.net

Re:AOL on ORBS list

[kdoherty]

You completely missed the point. ORBS is not immediately about blocking spam, it's about closing open relays, which can be used by anyone to send mail to anywhere, frequently abused by spammers to spam anonymously.

Just because some spammers use AOL doesn't mean that AOL should be in ORBS; AOL should only be there if it operates open relays.
--
Kevin Doherty
kdoherty+slashdot@jurai.net

Re:Why AOL was put in ORBS (I know... I did it)

[tar]

AOL apparently has no desire to deal with spam complaints. They no longer accept [ksu.edu] spam reports at 'abuse@aol.com'. 'abuse' is the emerging standard [isi.edu] contact address for spam reports. Instead, AOL insists that reports of email spam be sent to the intuitive and easy to remember 'tosemail1@aol.com'. What a stunning display of contempt for the rest of the Internet, especially for the users who have been trained to report spam to abuse@isp.

This just makes the fight against spam that much more difficult.

Don't try to tell me that AOL can't pay a FTE or three to sort through the abuse mailbox and dispatch the complaints to the appropriate team.

Re:Possible solution?

[Jacco de Leeuw]

And I guess if you use a VPN you can configure the mailserver to only accept mail from authenticated users with IP addresses on the VPN network.

Plus, the VPN would add to the overall security as well.

Re:Get in phase!

[shroom]

Where's the grammar error there? I don't see anything wrong with the statement in question.

Jeff Sand
shroom-at-bradley.edu

Re:Off-topic, but not a troll

[ragnarok]

Not sure if this the one you mean, but here's one mountain dew commercial:
http://www.adcritic.com/content/mountain-dew-bus ta-rhymes.html

check www.adcritic.com, they usually list the background songs for all the ads there...

Re:AOL on ORBS list

[Jonathan C. Patschke]

What we do at my site is to use the Sendmail [sendmail.org] (8.9.3 and later) "access_db [sendmail.org]" feature with higher priority than RBL and ORBS. This means that you can add a host (or network, or domain) into the access hash that will always or never be able to relay to or through your site, regardless of what MAPS RBL or ORBS have to say about it. An added benefit of access_db is customized refusal messages. Say, for example, you get a lot of spam for a certain domain without a postmaster@ address whose DNS is rather screwy. It's not relaying spam, just sending spam. So, I can put something like "spamdomain.net 550 Your postmaster address is broken, I don't know who you are--too much spam from your domain. Go away." in access_db and protect your network and inform the clueless admins at the remote site of what's wrong.

Re:No surprises here...

[Michel]

3. ORBS only block proven Open Relay servers, and server which ORBS can't check.

Ah. so it's guilty until proven innocent, then?

I see...

Re:AOL on ORBS list

[grahamm]

How much of that spam actually originated at AOL, and how much had forged headers to make it seem to come from AOL?

Re:AOL on ORBS list

[Mandos D Shadowspawn]

I find it amusing how ORBS keeps having to find new service providers. To my knowlege they have been kicked off two or three providers for blocking their own host.

While I appreciate the work the Orbs people are doing I don't appreciate the rough and offensive way in which they operate.

Re:What good timing!

[IntlHarvester]

Did you report it to AOL?

The one time I got spam from a legitimate AOL user (and not a fake @aol.com address), I sent it to abuse@aol.com. After a few days, I got back a confirmed kill letter. That's a hellava better response than I've gotten out of any other ISP.
--

Re:AOL not all good by any means

[IntlHarvester]

Interesting. I had an Ebay transaction go bad once because the AOL seller didn't recieve any email from me at work. I could see from the logs that your SMTP servers were accepting the mail, but the guy insisted that I was ignoring him.

Maybe my work is spamming people, or maybe the guy just wanted to give me negative feedback. Has made my shy away from sellers on AOL, tho.
--

Re:Don't overreact: they're harmless

[TallGuy]

And I bet if you were busy working on your next /. post, and some clown walked in because your door was unlocked, you would find this OK? ORBS is no better than someone who walks about the neighborhood, looking for unlocked doors or keys under the entry mat. Then they place up a billboard saying "Open door at 321 Evergreen". What shocks me is that you, as a systems manager are not outraged at such behavior.

Except that's not what they do. They first send you a note saying your door is unlocked, wait a month to see if you close it, and then post it on a billboard. You've had the chance to fix it, if you don't that's your problem.

If this was the case, why was a request for the basis of spam claim ignored? Because they can not provide it. I'd LOVE to see the claimed spam mail for my source....yet, this is not forthcoming.

They don't list spammers perse... They list open relays. They don't need a spam complaint, all they need to see is your open relay. It's what they are, a list of open relays. You don't like it, live with it.

Re:More proof of ORBS's stupidity

[um... Lucas]

Exactly. ORBS seems a bit useless.

With ORBS, one could test a server to see if it will relay mail for you. If it does, you know, and orbs tells them. You can spam for up to 30 days before ORBS notifies the rest of the spammers, that that machine is now available. The spamming continues until the machine is blackholed.

Why publicize it? Why not just wait until the machine is actually used for spam, and then gothrough the steps of RBLing it? It's that whole innocent until proven guilty thing... They haven't done anything wrong, there's just potential for wrong to be done.

Sound familiar, Napster fans?

Er, and?

[arafel]

AOL isn't actually the main cause of spam at present. The main sources are uu.net dialups (possibly through downstream customers who lease it), and sprintlink.net

(Neither of which are on ORBS because the people using them seem to do direct-to-MX spam, before anyone says anything. :)

If people want to do something, try complaining to the people hosting the spamvertised sites, the tools to do it (eg www.cybercreek.com), etc. Lurk in the newsgroup news.admin.net-abuse.email for a while, you'll soon see links to helpful pages.

But basically, don't go needlessly off on another AOL rampage, when they're not really doing too badly at present. :)

Re:ORBS too aggressive

[arafel]

I use it on my own machine here, and it's caught 1 false positive (a machine in mozilla.org), and quite a few spams. I consider that a reasonable tradeoff, although I can appreciate that you'd probably look at it differently if you're an ISP. :)

Re:I'm on the blacklist, and likely to stay there.

[Midnight Thunder]

How about setting up an intermediate Linux server between the NT server and the outside world. At least you could confiugure the Linux server to be secure and then hide the NT server within the firewall.

Andre

Re:AOL on ORBS list

[redd]

Absolutely.. the vix.com spam traps are pretty good and VERY rarely block legitimate email. On the other hand, as a sysadmin of an ISP, I find that our customers' own configured relays (which incidentally are very often running Lotus notes.. is their "default setting" set to open relay? :( ) are landing in ORBS on a daily basis. Unfortunately, unlike vix.com which actually makes a geniune reasonable attempt to contact the maintainer of the relay (perhaps by doing something sensible by looking at the contact in the whois database) before throwing them in the pit, ORBS just send an email to "postmaster@machine" without a proper "To:" header and assume it's going to get spotted amongst the 20,000 bounces that postmaster receieves every day!

Apon discovering that one of our customers are in the netblock, rather than finding polite, helpful guys like the vixie mob, ORBS are just arrogant.

On one occasion, one of OUR relays was thrown into ORBS for allowing %hack type relaying, yeah, like THAT is useful to a spammer.!

Re:Don't overreact: they're harmless

[ChrisWong]

Lots to respond to here. First, if you expect bounced messages from ORBS, you can always filter them out (the ORBS web site even tells you how). Second, ORBS does not test daily: it has not checked my hub for months. Third, I don't much mind the 17 messages (I receive rejected messages anyway) as I do having my hub hijacked by a spammer to send thousands of message if the jerk had got to my hub before ORBS did. Fourth, if your MTA crashes from unremarkable, nonmalicious, fully documented SMTP requests, then it is too buggy and fragile to be on the Internet. You should be grateful to ORBS for pointing that out, and fix it. Don't be lazy: I fixed mine.

@Home is on it as well

[mTor]

... at least some @home mail servers.. my mail goes through 24.2.9.40 relay and it gets bounced from a ton of sites that use ORBS. Anyone else's @home e-mail got bounced so far?


--
GroundAndPound.com [groundandpound.com] News and info for martial artists of all styles.

Re: Useful links

[nut]

Speaking of useful links, this site [spamcop.net] is one of my favourites. It means I can cut and paste the header and body of a spam into a box and press a button. Hey presto, header automatically parsed, and an automatically generated complaint I can send to the abuse@ addresses of any dodgy-looking ISP's.

Well, the UDP worked on @Home...

[Cardinal]

So who knows, maybe AOL will catch on. But somehow I'm a bit pessimistic. As somebody pointed out, AOL has been put on blacklists before, and obviously it didn't phase them. Maybe ORBS is a more prominent list, maybe not. I'm not very familiar with the background here (AOL doesn't exactly consume my every waking moment)

I certianly hope AOL does get the message, however. God only knows how much spam I get from AOL accounts, yet I can't afford to block them because I need to be able to communicate with customers that only have AOL.

Re:Why AOL was put in ORBS (I know... I did it)

[strredwolf]

Ok, now we have some reassurance from another source that AOL's looking into it's spam problem.

NOW if it will only tell me what they have done to several spammers I've reported. All I'm getting is a virtual "We're won't tell you anything. It's our 'security' policy. NYAH!" when I'm still getting junk from AOL's dialups and servers are slowly banning AOL manually. This isn't just for spamming, it also encompases harrassment of the users of those non-AOL servers. (IRC, MUCK's, interative services, even AOL's own AIM are examples of this)

---
Another non-functioning site was "uncertainty.microsoft.com." The purpose of that site was not known. -- MSNBC 10-26-1999 on MS crack

Re:Why AOL was put in ORBS (I know... I did it)

[strredwolf]

We simply don't have time to respond to spam complaints... way way WAY too many of them.

All I'm looking for is a semi-personal form letter saying you've nuked the account afflicted. This is insanely eazy to implement, and can even be hooked up into an existing reporting database. Infact, I wrote one up in this Usenet post to news.admin.net-abuse.email [deja.com] for UUNet. Just this setup time works well with ISP's as big as AOL.

We can't tell you any specific details of any action we take against a member's account, because AOL's privacy policy guidelines prohibit this.

[humor] I don't care if you used a five-kiloton thermonuke missile to get a spammer off your system, or a three-kiloton. [/humor] All I ask is that the user who sent me the junk to my account has been delt with. Not "We'll deal with it." I'm looking for a "We've dealt with him. He will not be spamming from us again."

All I'm getting is a "We're looking into it." I've gotten too many "We're looking into it's" from ISPs. I've gotten too many bounce messages, too. I've already helped get Real Networks on the MAPS RBL for being unrepentant in sending me junk. XOOM's getting there now. I have 84 spams waiting for LARTS to be fired off again, 4 relays to nominate to the RSS, and 74 spams filtered out according to the RBL or RSS. I'm tempted to start doing a spam or four a day. I only delete spams when I see the user responsible removed or reeducated. I wouldn't be suprized if I get a third of the load cut down because it's all AOL origionating stuff.

I'm not saying that the job gets done. I just don't have any proof of it, and it shows on other servers.

---
Another non-functioning site was "uncertainty.microsoft.com." The purpose of that site was not known. -- MSNBC 10-26-1999 on MS crack

Re:How do you get through to these people?

[Chris Johnson]

If you ever figure out how to nuke UUnet, for God's sake don't spare the plutonium! I use a lookup service to not have to fuss terribly much over filing complaint reports (Spamcop). I always look at the full information, and I refuse to send to their dumb 'Spam Recycling Center' links as I don't trust that as far as I could throw it.

Yet even with all that, I _still_ am beginning to hate uunet more and more. I've taken to adding little personal notes to my customary remarks- like "Please kill this spammer's account, oh UUnet source of my unending torments and target of my everlasting loathing and hatred. -postmaster@airwindows.com" It seems to make no difference and only relieves my feelings a bit. UUnet never stops giving spammers accounts and I'm damned if I can figure out if they even restrict them in the slightest way. I've heard they might do something like give warnings and say 'Send to other emails, ones that don't complain to us!' which is not an acceptable response.

Could _somebody_ please rip uunet's head off and #*$% down their neck? As a personal favor to me and Denor here? :P

Re:How do you get through to these people?

[Chris Johnson]

"One of my friends once made a joking suggestion that we should get together a bunch of scary BOFH types, and call them the Spam Patrol. Have them dig up spammers' real addresses, and show up at the spammer's home in black suits and dark sunglasses. Have them stop in to chat. The spokesperson would calmly and patiently explain why Spam is Bad -- theft of resources, cost-shifting, etc, etc. Meanwhile, the four or five other Scary BOFH Types would simply wander around the living room and comment about how nice a house it was, wouldn't it be a pity if, etc."

Ohhhhh, I like this. I like it very much. I would point out that it's much much better to not have the others making threatening (and actionable) remarks at all. Have them just be there in a chillingly disciplined manner, saying nothing.

Ohhhhh, I'd pay to get to do that. Maybe someone should try to organize this :) pity I don't have a black suit. I do have imitation Blues Bros. sunglasses :)

Possible solution?

[copito]

If you don't want to get rid of the NT box yet, couldn't you use a Sendmail your public server which would only do basic relay checking and then relay the mail to your NT box for actual delivery?
That should be easier than moving your whole operation to Sendmail all at once.


--

Re:You're giving them too much credit....

[Chris Mikkelson]

They don't even require a spam incident -- they will launch this "test" against any host that is nominated REGARDLESS OF WHETHER IT HAS EVER SENT SPAM.

I suspect that this is why ORBS is still accused of scanning for open relays. Some spammer is probably "nominating" whole IP blocks so they can check the ORBS list later. Since nobody smart uses ORBS, they now have a list of open relays, which are not on any real blacklist.

Either this is the case, the ORBS kiddies actually *are* doing scans, or AboveNET and many other ISPs are lying when they claim ORBS is scanning them.

Re:For those opposed to ORBS, what about RSS?

[Chris Mikkelson]

I rather like the RSS. It's suitably aggressive to catch a lot of spam, and has several advantages over ORBS:

1) It doesn't list multi-level relays[*] -- I count this as an advantage, because it cuts out the "block an entire ISP because of a few rogue customer" effect.

2) They can actually produce a spam for each listing, something that ORBS cannot do in most cases.

3) [related to (2)] When explaining to a (non-)admin why you are blocking their mail, you can point them to an ACTUAL SPAM INCIDENT and say
"here's why."

4) [also related to (2)] There are no "manual listings" on the RSS -- every RSS-listed host is actually an open relay. Many ORBS-listed hosts are not open relays.... perhaps even most, with the multiple /16s of AboveNet listed.

[*] I really dislike the way ORBS handles this problem. Basically, if you run a (closed) relay, you apparently need to subscribe that relay to ORBS in order to keep it off of ORBS. Oh, yeah... there is one other alternative: you can enforce a no-servers policy, or (ack!) filter all incoming port 25 traffic to customers.

Police brutality

[Skip666Kent]

If you are free to block them,
how can you say they can't block you?

It's not that they can't, because clearly they can. It's that they shouldn't. They have attained a position of significant repspectability (fairly wide-spread use) with their service, this separates them from the common user or isp. Users trust them to provide even-handed and consistent service, just like we trust our local police not to shoot someone in the knee caps for saying "Fuck you" to an officer.

When such brutality does occur, as we all know it does from time to time, the Police must be taken to task for weilding state-level power on a personal basis.

ORBS has successfully become a sort of 'Police' of the Internet. If they aren't grown-up enough to handle the responsibility in an enlightened manner, they will be replaced, and rightfully so.

I think (hope) that such things are growing pains, and that as they come to realize that their new-found influence comes with certain responsibilities.
.
.

CLUE indeed

[Skip666Kent]

The 'CLUE of prevention' you speak of is valid at the local level. At the global level things aren't so clear. You, as a fully functional human being, have untold potential to wreak havoc upon your neighbors. Should they kill you now to prevent that possibility?

Re:Oh no...

[Skip666Kent]

First, a note to say that I *highly* disagree with the moderator consensus relegating your post to mere 'flamebait'. It's a jury of our peers, tho', and we can't expect to agree all the time. Bad moderation happens, as we see here. Fact of /. life. For the record, overall, I think moderation works pretty well.

That said, I disagree with your post for the simple reason that this is an interesting and important issue, and it's good to have it a bit further in the public eye. I care about such things, but I'm not a full-time administrator, so I don't (yet) peruse the specialist forums. Your annoyance is understandable, but I still disagree.

Respectfully,
skent

Re:ORBS List

[Skip666Kent]

Brilliant post, doomed to the slush-pile.

Oh well!

The danger of huge market share

[IGnatius T Foobar]

This clearly demonstrates the problems associated with one entity having too much market share in any particular market. Any blacklist that bans AOL is shooting itself in the foot, because there's too much legitimate mail coming from the aol.com domain. For millions of people, AOL basically is the Internet. That's a problem. It demonstrates a problem we all know so well from the operating systems field: when one player has too much market share, they can basically act with reckless abandon. Everyone has to work with them or risk locking out their own customers, or potential customers.

--

Bah. Not ALL of AOL...

[Booker]

"AOL has been added to ORBS" is a hell of a strong statement. Surely AOL operates more than one mail host. If one is insecure, then it _should_ be in ORBS. 'nuff said. I don't want crap in my mailbox just because someone wants their daughter's happy birthday java-crashy card.

I'm sure the vast majority of the AOL machines are NOT in ORBS, and most mail will get through.

---

R.I.P ORBS

[hta]

The ORBS people have always been sitting ducks for a restraint-of-trade lawsuit.

Now they've taken on someone who knows very well how to spell "lawyer".

The last I saw a discussion with the ORBS kids, their attitude was "we decide who is in the wrong, and how to punish them". Even when they are right, such an attitude creates enemies.

And when they are wrong, the lawyers descend.

Re:Invalidation -- just like the RBL

[Y2K is bogus]

I have been an opponent of the RBL for a while. There is absolutely no checks and balances to prevent personal grudges from taking a toll on businesses, etc. The company I work for was placed on the RBL by one of the board members, without any contact. The reason: He received an email he didn't want from a customer which had a website with us. Mind you they didn't use our mail system to send him this email, nor was it SPAM.

Subjective control of the Net is wrong, for the same reason that censorware is wrong.

The RBL is a heavy handed approach to solving problems. Rather than taking the approach ESR took with Netscape, they are extorting email providers into compliance. That's just wrong.

ORBS only serves to make an application level RBL. These approaches are entirely wrong, diplomatic approaches must be made to solve the problem, not heavy handed politics.

Re:I'm on the blacklist, and likely to stay there.

[c]

Our relay is partially open - it allows relay only if the sender's e-mail address or at least one recipient's e-mail address is from a locally-hosted domain. Not the most secure method, perhaps, but it seems to be enough extra work that spammers simply find a wide-open relay and use it instead of us. There's a much better way to do this. I modified our POP server at a previous employer such that it placed an IP on an approved relay list for up to two hours after a valid authentication. This worked great for people on the road because all they had to know was that they had to check their mail before trying to send anything (something people usually do anyway). c.

Re:I know I am risking it here but I don't care

[arivanov]

I can just imagine a group of fed up people actually taking civil action against and ISP that has some sysadmin that just blithely blocks e-mail from some location because of "spam" (that's a crapy name for it).

Tough luck. When you sign with an ISP you sign with the Acceptable Use Policy, Term of Service and other appropriate stuff. If it says no SPAM this means no SPAM. If unhappy change the ISP. You have no legal grounds to sue the sysadmin after you have signed that you actually allow the sysadmin to do the filtering. So long and thank you for the Fish...

Re:Invalidation

[arivanov]

AOL has been in the RBL in the past. It has not invalidated the RBL. Actually it brought more popularity.

I did not consider using ORBS till now, I do now.

Re:R.I.P ORBS

[arivanov]

It was discussing litigation against ISPs refusing email from them in the past on at least some mailing lists like NANOG. And guess what - it found that it had no legal grounds to even file a suit.

Any ISP has no obligation to receive mail from anyone. They are not obliged. Period. The only ones to sue them are the ISP users and only if the ISP has been dumb enough to start filtering without formulating its contracts properly. The usual contracts with an ISP make sure that the user have no grounds for any lawsuit ;-). That is life...

Re:Can't find any AOL's SMTP server listed by ORBS

[arivanov]

These are not AOL mail outputs. These are the inputs.

As a person who had been hit by an AOL end-user generated mail D.O.S. at one of my previous jobs I can tell you for sure. You are checking the wrong IPs. Better scan your logs for AOL incoming and get the IPs from there. Thus you will get the tier 1 relays. From what I recall there are at least two more tiers which you can determine by firewalling Tier1 and than the appearing Tier2.

Re:I'm on the blacklist, and likely to stay there.

[Mullen]

A company I just got a job with is having the same problems with NT. It use to allow open relying for customers, but guessed what happened? Yep, spammers found us. Now were closed, but the mail package is a real peice of crap and I got the boss to let us switch over to qmail. I guess enough with the side story.

Re:Hehe 8^D

[stx23]

Of course, a college can easily shut off a port on a managed hub, but for AOL, maybe Sprint, MCI, et al could just sever any links out to the rest of the world until they comply... that would be pretty funny (I can see the even dumber commericials now... "Now with re-activted internet connectivity!").

Perhaps this is what they actually want. A couple of months back, there was the odd CERT notice about 'Promiscuous Browsing'. For AOL to turn back into a Bulletin Board would keep their users within bounds. This time it's a global BBS, and with exclusive 'Time Warner' content not available elsewhere, it would have the edge over MSN.

Re:Don't overreact: they're harmless

[seebs]

You miss the point: If my system is closed, there is no reason for ORBS to list it in such a way that everyone using ORBS will think it is an open relay and bounce messages from it.

Unless, of course, it's a power trip, and has nothing to do with stopping spam.

Should people with buggy MTA's upgrade? Probably. But ORBS shouldn't spite-list them, and shouldn't keep testing them; it should leave them alone.

Keep in mind, we're not talking about "any random SMTP". We're talking about servers that move thousands of messages an hour, and never, ever, crash *EXCEPT WHEN ORBS HITS THEM*.

You may prefer 17 messages to a spam run. I prefer no messages to 17 messages. I know enough
to keep my servers secured, and test them actively whenever anything changes. ORBS does not believe I have a right to be left alone.

Re:Why AOL was put in ORBS (I know... I did it)

[seebs]

You're spoiling our fun. (Hey, folks, moderate that guy up. He's the AOL guy who makes less spam.)

Re:Don't overreact: they're harmless

[seebs]

Harmless if you happen to run the exact mail server they want.

There are mail servers, *WHICH ARE NOT OPEN RELAYS*

* where any relay attempt will create a message in postmaster's inbox.

* where certain of the ORBS tests *CRASH THE MAIL SERVER*.

The latter is a bug. So? Why should you have to let this *ASSHOLE* crash your system every time he gets the idea, when you *CAN'T* be used as a relay? He won't stop, ever, and the best you can do is have him list you as if you were a spam hydrant, even if no spam, ever, has left your machine, and you're not an open relay.

I know people who have this problem.

Anyway, if seventeen messages isn't enough resources to worry about, why do you mind spam? I only very rarely get more than 17 spams in a day after filtering...

AOL's "spam problem"

[seebs]

Spam actually, really, from AOL accounts, or spam with "@aol.com" forged into the headers?

How much spam do you get per user? How does this compare to other ISP's?

I don't think AOL is all that bad *on a per-user basis*. The same thing that makes them so hard to block (they have an amazing number of users) pretty much guarantees that, even if they had many fewer spammers "per million users", they'd have an apparent "spam problem".

AOL isn't nearly as bad as Netcom and uu.net once were, and none of them are as bad now as what we used to take for granted as the cost of having an email address. I don't mind AOL all that much; they're not that much of my junk mail.

Re:Invalidation -- just like the RBL

[seebs]

When did this happen? Which company? Which board member? Post a URL pointing to all the documentation showing what the email was.

Or, allow me to continue believing that the RBL is astoundingly well-managed. :)

(Note that everything like this I've heard dates back about to the point where they had maybe one employee, and really doesn't apply to the RBL as it exists today.)

Don't overreact: they're harmless

[ChrisWong]

I manage a mail hub that was probed by ORBS. They provided the service of informing me of the security hole, for which I am grateful. Thanks to them, I secured my server against spam relaying.

Besides the obvious desire to provoke, why would you call their probes an "attack"? From my mail logs, I see that their probes take up very little resources. There were not that many requests, and there were pauses between them. They test using legitimate SMTP requests, and they are entitled to do so once you put your SMTP server on the net. There is a big difference between a handful of probes that result in perhaps a single relayed mail, and a spammer pounding on your unsecured server with thousands of requests for relayed email. I would rather have ORBS test my server any day.

See their site for details. They do not randomly test sites, but only test when a suspected unsecured site is nominated by someone. Their probing serves, as you say, to "talk to the host accused". The admin has a whole month to secure the thing if it is found insecure, before it is publicly listed.

Re:I know I am risking it here but I don't care

[wesmills]

"Unless you are actually running your own legitimate server (no not a pirated or other server off you cable modem or DSL or ISDN connection) you can't make calls like that."

I'm sorry? My company's mail and web servers that run off of a 2mbps SDSL line are pirate or not legitimate? The mail and "do everything" linux box I have on my 768k ADSL line is pirate or not legitimate? Gee, that's funny. I rather thought anything that could fling packets via TCP/IP was a "legitimate" server.

This will be of great interest to my users, both at home and at work. 752 people (as of this morning) will be happy to know the services they reliably access, and have accessed for almost 2 years now, are provided by an illegitimate server.

Oh, and before posting, please learn to spell. It's an "impediment" to accurate communication.

--------------------

Re:AOL on ORBS list

[Tim Pierce]

I am trying to convince my superiors to let me start refusing mail based on ORBS and MAPS RBL queries, but denying a large volume of legitimate mail (as the case would be with AOL on the ORBS list)...

FYI, this would still be the case even if AOL were not in the ORBS database. ORBS lists quite a lot of servers that mostly deliver legitimate mail, sometimes on the basis of pretty obscure relay tests and often even if the relay is not actively being abused by spammers. The ORBS philosophy, as far as I can tell, is essentially that it's okay to throw out a few babies as long as you get rid of the bathwater.

I would put more trust in the MAPS RBL, [mail-abuse.org] DUL [mail-abuse.org] and RSS [mail-abuse.org] databases as more responsibly run systems: while not as aggressive as MAPS, much less likely to discard legitimate correspondence. For many sites, that is of paramount importance.

Re:AOL on ORBS list

[jhigham]

We use three spam lists:

RSS [mail-abuse.org]
DUL [vix.com]
RBL [mail-abuse.org]
The RSS is a toned down version of ORBS; it only lists relays that have been used to spam, which makes it easier to explain the problem. The DUL blocks any direct from dialup spam. The RBL blocks blackhole sites. The main problem with ORBS is that it is harder to explain (with RSS you can say 'spam _has_ been sent through this server'), and it blocks a lot more sites, which makes it hard to handle on anything larger than a personal mail machine.

Re:Invalidation

[Ralph Wiggam]

Maybe your grandma can handle a real ISP, mine can't.

-B

Re:ORBS is NOT a "Black Hole"

[handorf]

But it need not be a black hole if you don't want it to. It may not be the default that they tell you how to set up, but should you be reconfiging company e-mail if you can't make Sendmail do what you want?

AFA their criteria, all of these different lists have different criteria. It's the Admin's job to pick the one that fits best with their mentality.

Pax.

Re:R.I.P ORBS

[Another MacHack]

What would be the grounds for the suit? ORBS isn't forcing you to use their list to do anything, let alone block email.

Re:Invalidation

[Tower]

Well, your ORBS reply message should be set that someone should understand it well enough (though I grant you that few on AOL would grasp most concepts tougher than the 'start' button) to forward a copy to their postmaster.

Say something about your mail service, aol.com (create that), is assisting spammers and illegal activity, yadda yadda. If you want to help fix this so you can send *your* e-mail, forward this to postmaster@aol.com (create that, too). With a minute or two spent on the message, you could practically tell them step by step how to properly deal with it (though some couldn't find a button with two hands and a roadmap...). Then in the next paragraph you can list the normal ORBS stuff, with the URL and all that jazz.

Tens of thousands of calls to AOL customer service may be the only way to remedy the situation, so people have to do this. I suggested in another post a rather extreme view (have the backbones cut them off from the rest of the world until they update a setting or two). Shouldn't be tough to see some action then, and then AOL could have some cute little 'art' appear on everyone's screen saying that the world has stopped being unfair to all of you wonderful AOLusers and that you can get back to that big scary internet, but we know you don't want to, so come join a chatroom...

A lawsuit would work, too ;-)

Before the dawn of AOL

[HerrNewton]

Moderate this as off-topic if you will, but does anyone remember the days when AOL was *strictly* a propietary ISP? Before the days when AOL'ers lurked (leaked) onto the Net proper? I get nostalgic for the days of Netscape 1.0. (Or even Mosaic betas...)

This entire discussion -- ORBS, RBL, etc. -- does bring up an interesting tangent: as a community, we have a helluva pull on the marionette strings. When a company does something bad, the ball usually starts rolling here for protest pages. But why doesn't someone start an "evil-company blackhole list" and disallow *all* services to that company. Block access to www.mattel.com or, better yet, redirect to a page telling people why Mattel is being evil and then give them the option of continuing to the site or signing a petition.

It's just a thought, a random and tangential thought, but hey... I figured why not throw it out there.

----

ORBS, Sucks or not?

[kordless]

I vote they suck. I own an ISP and about a year ago got blocked by ORBS for running a mail server that allowed mail throughs. I upgraded the server, shut off access to the outside world for mailing through us and report said event to ORBS. ORBS kindly removed my name from their list and everyone was happy. Two months later, a dedicated customer of mine got stuck on the list AND my mail server got stuck on there again but this time as a relay for THEM! Needless to say, the customer was running a crappy mail server on an even crappier O/S (insert best guess here) and I had to block him to get myself off ORBS. Turns out the customer had the logs from the whopping 1000 emails that had run through his site (in the past 4 months) and we discovered what appeared to be "fishs" for a mail through situation on his server and they originated from a site on ORBS. Now they say they don't scan for mail through servers, but this evidence seems to say otherwise. It's my opinion that they will do and say anything it takes to support their cause, which isn't fair to everyone involved.

ORBS aren't angels either....

[Atilla]

Ok, great - so AOL is on the ORBS list. However, ORBS has been known in the past to do things that they should be smacked on the ass for. They have portscanned our network once - 96 class C's!! They probed one machine which was a virtual web server running an older version of sendmail, and came up with several hundred "open mail relays" not knowing that: 1. All of the IP's were the same machine, and it has_never_ been used for SPAM. It's a web server, and it doesn't do mail. Get it? *smack* 2. This kind of network intrusion is an invitation for an ass kicking. It would be nice that at least they would have said something... The move was definetey unethical. btw... ORBS used to be based in Canada. Then they pissed some pople off and had to relocate to New Zealand. har har. Anyhow, it is nice to know that someone out there is an active anti-spamer, but hey, using brute force will only make people angry. It definetely won't help solving the spam issues... And for AOL... As long as they provide a cheap, unreliable, insecure access to the net, they will be a spammer heaven. Frankly, I don't think they give a shit about ORBS. They will sue the living shit out of everyone and their dogs, and pay whatever the price is to get their way.

Send outgoing first, then receive incoming

[billstewart]

Most email clients I've used try to send outgoing mail first before downloading incoming. So telling your users to check their mail first doesn't help if they're using popular POP clients like Eudora. The MSOutlook/Exchange products often do some authentication first, so they might be able to use this dodge.

Worse than Guilty-Until-Proven-Innocent

[billstewart]

> 3. ORBS only block proven Open Relay servers, and server which ORBS can't check.

So you're guilty _because_ you're innocent! :-)

Seriously, if the purpose of ORBS is to prevent machines from being used by SPAMMERS, and ORBS can't get in to abuse the relay as a test, then spammers can't get in to abuse it for spamming.
If you've got a site that _deliberately_ blocks ORBS, either it's got some good reason to dislike the probes (e.g. the guys whose lameNT mailer crashes), or because it's running mailer protection software that interprets ORBS as a spammer's probe (good - so they're blocking real spammers too), or perhaps they provide spamming services (in which case the real problem is users with accounts there, not relays.)

I know I am risking it here but I don't care

[slashdot-terminal]

This is almost the exact word for word attitude that some of that shitty censorware stuff takes.
Essentially their argument is that you can't have anything worthwhile to say if you have a free or no cost based web site. On that basis almost all of geocities, xoom, and many other providers gets blocked (Bess).
Another question that needs asking here. I can just imagine a group of fed up people actually taking civil action against and ISP that has some sysadmin that just blithely blocks e-mail from some location because of "spam" (that's a crapy name for it).
Few of the people who actually run ISPs are in fact owners of said equipment or lines and as such do not have the moral or ethical footing to make such calls.
Unless you are actually running your own legitimate server (no not a pirated or other server off you cable modem or DSL or ISDN connection) you can't make calls like that.

I have every reason to believe that most people are just getting screwed over by the Olympians on this one because no one who is getting harmed with having their e-mail blocked has any ability to effectively do anything with it.

As another poster has already pointed out there is a really nad streak of BOFH in many people that works almost the yway it does in cartoons.
You know the two little people that stand on the sholders of various characters and represent good and evil? Well I think that many people are listening to the pointy horned one.
I know personally of several cases where judgements were filed against various sysadmins who thought that they were going to screw the users in any fashion they wanted. A teacher at a highschool was relieved of his position after taking copies of e-mail correspondence that in fact did not belond to him and then attempting to use it to further his own agenda and get the people involved kicked out of school.
Data deletion and malicious banning are also things that I have known to happen.
How would you feel if say I really didn't like you and started to actually do packet sniffing and then do an active regex search of all packets comming out of your domain. Then I systematically tamper and trash all of those packets that are e-mail messages say after a random number of packets has matched? Not so funny now is it?

When you work at a job there is a little clause in employment contracts which states something to the effect that anything you do is only permitted if you have authorization from legal representatives within the company and perhaps others in the upper eschelons of the company. Without this you cannot do anything without taking a hefty chunk of liability and as such should not try to limit access from ISPs who are trying to legitimately attempting to provide a service to their users.
The mere fact that the list of blocked sites that is being discussed has been removed from it's own service providers several times is indicitative of how draconian these people are.
There are already attempts to make intelligent AI driver mail and news filtering engines that can attempt to classify various messages by content and word analysis (similar to Eschelon). Positive results are showing up all over the place.
Then once that is done just rapidly have users check their "spam" folder rather rapidly and bam no more problem for them. After doing an analysis of my own mail box and roughly 40,000 from several unix domains I have determined that in fact on the whole 97.8956% of all spam messages that are sent during "peek" times (ie when factored for various changes in TIme Zones relative to each other) between say Monday-Friday 10:00-22:00 with the peak being at about 8pm on Wednesday (maybe more people are home then).
Messages in this time period do not exceed 8-12k in any circumstance.
I can't see how realistically when such massive bandwidth and tremendous risk is involved one can justify acting as a free speach empidement.

What?

[Greyfox]

It's not like anyone IMPORTANT is on there.

Oh, sorry... was that a troll?

ORBS is not a freedom-fighter, they are net-terror

[mr]

>As long as they don't break any laws, there is no reason for me to do anything.
If you are talking about the door-knob turner, they ARE breaking the law. It is called prowling. And Trespass. And if they keep doing it, stalking
http://www.wwlia.org/ca-stalk.htm

>you should try to resolv this matter
Resolution is possible with reasonable people. ORBS are not reasonable with their methology. They blindly attack hosts, and when asked for proof as to why my host was attacked, they can provide NO PROOF OF SPAM so that I might figure out how to stop that 'alledged spam' in the future.

Go on NANOG's lists. Look around, and you will see that ORBS is believed to do more harm than good. Because ORBS is no better than the spammers who probe hosts. And because ORBS is a net terrorist.

You want change? Then get ORBS to modify their methods. Get them to contact the admins before they test. And provide proof of the SPAM from a site. Have ORBS be REASONABLE, and they won't generate all this ill-will they have.

Right now, ORBS is a net-terrorist.

Re:Don't overreact: they're harmless

[mr]

I manage a mail hub that was probed by ORBS.
If you insist that you manage the box, fine.

They provided the service of informing me of the security hole, for which I am grateful. Thanks to them, I secured my server against spam relaying.
Strange. I read my mail log files, and I notice things like people sending e-mail through my system. It is called SYSTEM MANAGEMENT. If YOU needed ORBS to tell you that you had an open relay, and ORBS only probes machines that have been used for spamming, then it looks like you need some help with the concept of system management.

Besides the obvious desire to provoke
No if I want to provoke I do something like this:
You sir, are an incompentent Sysadmin if you need to have an outside service tell you you have a problem. Looking at your own log files and having a basic knowledge of how to admin a Unix box should let you know you have a problem. You may not know HOW to fix the problem, but your post indicates that you were obvlious to the use of your box by relayers. Instead of spending time here on /., you should spend your time and energy reading some books on Unix Sysadminning, or taking a few courses on it at the local college. Feeling provoked yet? All I'm willing to do is point out how the people at ORBS are net-terrorists, pretending to be 'offering a service'.

why would you call their probes an "attack"?
Because it is. Looks like a probe attack, smells like a probe attack, LOGS like a probe attack, its a probe attack.

They test using legitimate SMTP requests, and they are entitled to do so once you put your SMTP server on the net.
And I bet if you were busy working on your next /. post, and some clown walked in because your door was unlocked, you would find this OK? ORBS is no better than someone who walks about the neighborhood, looking for unlocked doors or keys under the entry mat. Then they place up a billboard saying "Open door at 321 Evergreen". What shocks me is that you, as a systems manager are not outraged at such behavior.

and a spammer pounding on your unsecured server with thousands of requests for relayed email.
Amazing. You CLAIM to be an administrator of a box, yet you don't understand the concept of reading your maillog. Funny, my mail log lets me know when people are using it who should not be using it.

See their site for details.
I did read their site. And, they STILL are net-terrorists.

only test when a suspected unsecured site is nominated by someone.
BULLSHIT If this was the case, why was a request for the basis of spam claim ignored? Because they can not provide it. I'd LOVE to see the claimed spam mail for my source....yet, this is not forthcoming.

Terroists who are unable to back up their terror campaign when caught read-handed.

How do you get through to these people?

[Denor]

For as long as I've figured out how to use nslookup, I've been waging my own private war against spammers.
Lately, my anger has been less and less directed toward the spammers themselves (they're still bastards), and more and more toward the companies that allow it to happen.
Specifically, PSINet and uunet, but I've also got spam from AOL, the sprint dialup network, and various lesser-known servers. Most of the time, the only kind of response I get when I send in an abuse report is a form letter, and that's it. Sometimes I get to know when the offender's account has been closed down, but when it's actually a relay acting up, that doesn't help.
And no matter how many abuse reports I send in, no matter how many times I send a letter to the administrative contacts telling them that they are allowing people to exploit security holes (the open relays) in their mailservers to send bulk e-mail to people, I've never once got any kind of reply other than a form letter.
So my question is, really, is there any way to get through to these people? Are the corporate ISPs so utterly clueless that they can't comprehend the idea that spam is a Bad Thing? What does it take to get through to these corporations? Does the Better Business Bureau take complaints about spam-enabling companies? Would writing letters to the editor every time a spam-offending company is mentioned positively in an article help? Would making an appointment with the corporate types and showing up in person even make it past the "call them up and try to arrrange something" phase?
I'm becoming really burnt out on trying to get rid of my spam. The S/N ratio on my mailbox has dropped to almost negligable levels - I'd abandon it if most people didn't e-mail me there. I want to stop spammers, but even sending e-mail to abuse departments doesn't help. What, then, can be done?

Re:Invalidation

[Fas Attarac]

Conversely, I haven't been able to attribute any of the last dozen or more spams I've gotten to an AOL source. Plenty have listed AOL in the headers, or included AOL e-mail addresses, but they were all forged in an effort to put people off of their trail.

Additionally, in the same period of time, I've received probably 8 or 10 e-mails from friends/family that use AOL. I would most certainly raise a stink if my ISP decided to honor ORBS lists and keep me from receiving this e-mail.

IMO, AOL doesn't account for *nearly* the amount of spam as other major ISP's out there, and despite the fact that their abuse address never really replies to my complaints (or if they do, it's usually about a month later), I rarely (if at all that I can remember) get a repeat AOL spammer. I mean I'm perfectly willing to acknowledge the possibility that I might just be lucky, and that the true majority are getting pummeled with repeated AOL spams from the same people, I'm just not one of those people, and from what I've been reading, lots of others are in the same boat as me.

I've never been particularly impressed with ORBS.. their "rules" about who gets added is entirely to subjective and not nearly objective as it needs to be. MAPS RSS has the same goals (listing open relays), but they're much more responsible about when they list someone. *shrug*.. Just my opinion.

Re:AOL on ORBS list

[opus]

You can always "whitelist" any servers that you wish to receive mail from, despite their presence on ORBS, RSS, RBL, or DUL, by putting them into /etc/mail/access (assuming you're running sendmail, and have that feature enabled), e.g.

mail.wideopenrelay.com RELAY

This, of course, diminishes the punitive value of the list, but it's better than not using the list at all. IMHO, you don't even need to give a second thought to using the RBL (which only lists serious repeat offenders, IIRC) and the DUL (dialup users should use their ISP's mailserver. The only servers I've had to whitelist at a user's request have been on RSS, which is far more agressive than the RBL. (I don't use ORBS, since I find it too aggressive.)
--

Invalidation

[Hrunting]

Great, AOL has been added to ORBS. This will probably serve to invalidate ORBS more than anything else. The fact of the matter is that an ISP can not refuse AOL e-mail. AOL simply puts out too much legitimate e-mail to make blocking them outright even a possibility. The customer complaints would be tremendous and it would cause an ISP to lose credibility with customers who don't understand things like ORBS and open relays, who only understand things like grandma can't e-mail her granddaughter happy birthday. What's that mean? Selective entries on ORBS will start being ignored and once you start down that slippery slope, you may as well wave bye-bye to any sort of influence that list may have.

What needs to happen is a bunch of ISPs need to get together and file a lawsuit against AOL for allowing so much spam through their systems. A groundbreaking case for responsible management of systems on the Internet would serve our fair network well.

Re:Invalidation -- just like the RBL

[Booker]

It's not subjective control of the net. Each sysadmin chooses whether (s)he wants to use these tools (ORBS an MAPS), or not. If you use it, you are explicitly trusting the judgement and managment of the tools.

I also find your anecdote extremely surprising, and I'd like to see some proof... I thought that the RBL was a last-ditch effort after contacts had been made.

---

The words of a co-worker

[unicorn]

In the immortal words of one of my co-workers. "You can't spell a**hole, without AOL"

Re:ORBS is a net-terrorist.

[kinesis]

I've been a victim of their net-terrorism.

My company has a dedicated server through Digital Nation. Well, apparently, we inherited the IP address of a machine that USED TO BE an open relay. Never mind that we've been using a version of sendmail that doesn't permit open relays since the first day we turned the machine on.

And ORBS refused to take us off their list.

You can't call them up and reason with a human being. You're totally at the mercy of their anonymous maintainers. And they don't listen to you when you show them PROOF that your IP isn't an open relay. And they don't listen to your ISP when they show them PROOF that there is no open relay.

ORBS sucks. Their cure really is worse than the disease.

ORBS nearly useless, this will make it worse.

[Silver A]

My ISP [dnai.com] gives me the option of tagging e-mail that originates from RBL, ORBS and DUL listed servers. I haven't gotten an e-mail yet from an RBL-listed server that wasn't spam, but most of the ORBS-tagged e-mail was from legitimate sources, mostly people's work e-mail addresses.

As a behavior-modification tool, the ORBS is useless. Too many people run insecure mail servers for most people to be willing to filter it all out. Enforcing the ORBS list will be more painful to the enforcer than the violator.

A better method would be to get a court case to establish that people running insecure mail-servers have partial liability for spam-floods using their server. A case could easily be made that anyone with the knowlege to run a mail-server has the ability to discover that running an open relay is dangerous, and the ability to perform some minimal securing.

Re:Invalidation

[seebs]

You talk about ISP's "suing AOL for allowing so much spam..."

This has *NOTHING* to do with ORBS.

ORBS claims to list open relays. I haven't yet seen a convincing demonstration that AOL has an open relay.

ORBS, however, goes further. If they can't scan your /16, launching ten or more attacks on every system in it, at their convenience, you will *ALSO* get listed.

Neat, huh?

Of course, "ORBS doesn't scan". Of course not. Other sites do scans and submit results to ORBS. Or just submit whole netblocks. Or something.

Re:ORBS is NOT a "Black Hole"

[seebs]

Completely misleading.

If you follow the naive instructions to turn on ORBS, it will bounce everything, and it will also bounce all of the "static listings" - hosts which are almost always *NOT* open relays, many of which have never emitted a single spam, ever, but just don't allow gratuitous testing.

For those opposed to ORBS, what about RSS?

[toastyman]

http://www.mail-abuse.org/rss is a "realtime" relay system. If you get a spam that used someone else as a relay, you forward them the IP of the relay, and it gets added to an RBL style list. Only after it's been proven that someone's mail server is being used for spam can it get added, and the turnaround time for off and on this list is very short. Take a look at their FAQ [mail-abuse.org] for more info.

People like you are why I run orbs filters

[Alan Cox]

Aside from the irony that the AOL listing is not for AOL itself but the dialups..

People like you who dont bother to secure themselves against spam are why the problem exists. If you had an unsafe building then you would get forced to clean it up.

ORBS exists because people don't care about open
relaying. Hey its not you being spammed, its all
those other folk, you can fix it later.

Not socially responsible at all.

Hehe 8^D

[Tower]

Well, I know of a few people who are going to be a little dissapointed if this happens... my school properly secured the mailserver a few years ago, at which point some of the more spam oriented folks on campus realized that aol's servers were still wide open for such things... actually, so were sgi's (at the time). I'm sure that's been fixed...

The best is when the school ran a local search, and all sorts of people got hatemail saying "we found an active relaying mailserver on the system in your room. Fix it or be assimilated... I mean, deactivated" (or something to that effect). Pretty funny. Then, of course, came the firewall, so that ended the need for that, so they only scoured internal webservers for spurious /mp3 and /movies directories... There were more than a few people who got shut down because of that.

Of course, a college can easily shut off a port on a managed hub, but for AOL, maybe Sprint, MCI, et al could just sever any links out to the rest of the world until they comply... that would be pretty funny (I can see the even dumber commericials now... "Now with re-activted internet connectivity!").

AOL... hehe

Re:AOL not all good by any means

[scrain]

AOL doesn't use any external 'blocking lists' in total. We maintain our own lists of problem providers and dialup IP ranges, supplemented by careful and judicious use of what's publicly available.

There's a simple reason that we don't bounce messages during the transaction, and that's because we don't verify user information during the transaction, in order to prevent spammers from dictionary-attacking us to get lists of AOL's usernames (Not that they don't try... they do... constantly).

Even though we have controls in place to try and prevent the amount of bounced mail we send to a delivering site, we still crush a number of them from time to time, because they're a: getting spammed through, or b: getting spam forged in their name.

Ask Netcom (well, you could if they were still around in other than name), MCI, Yahoo, hotmail, and more, but they're the ones that everyone knows. Hell, Vint Cerf's called personally to get us to take it easy on 'em. (I did).

Re:Why AOL was put in ORBS (I know... I did it)

[scrain]

We simply don't have time to respond to spam complaints... way way WAY too many of them. We can't tell you any specific details of any action we take against a member's account, because AOL's privacy policy guidelines prohibit this. (though I've been known to drop the occasional hint when it's something that needs a response)

I (up 'til yesterday) was the person that dealt with IRC abuse, and I know that it gets dealt with, albeit slowly because it takes awhile to track down the actual user.

As for MU(X|SH|CK|D)s, I'm a mux/mush coder myself, and I'm pretty damn sympathetic to those kind of abuses, and if I see 'em, they get dealt with harshly (no, that doesn't mean mail me directly... reports from people I don't know get ignored cause otherwise I'd go insane)

AIM is (supposed to be) self-policing... that's what the warning ability is there for. Sure, it gets abused, but well, you can't give something away with assholes getting in the mix.

Scott Crain
AOL Mail Ops (and up way too late. Where's dat update you mentioned, Hemos? =)

Roadrunner is blocked, was Re:No surprises here...

[jacobito]

I couldn't agree more. I have a system running qmail which I'm pretty sure is not an open relay, but I can't post to mailing lists that use ORBS because ORBS blocks every single address associated with my ISP, Roadrunner. Why? Because Roadrunner objected to being scanned. Perhaps a little pigheaded on their part, but it's Roadrunner's perogative. It was even more pigheaded of ORBS to retaliate by listing every single *.rr.com host as an open relay.

I simply don't see how ORBS helps the internet community. They block hosts indiscriminately, sometimes vindictively.

Here's Roadrunner's commentary on the whole mess, taken from one of their newsgroups:

; "Jr." wrote in message
news:MPG.12ffb6474d5873d1989688@newsr2.texas.rr. com...

HISTORY:

Road Runner customers and Affiliates initially contacted us with a
security issue. They were concerned with their privacy and security when
an unknown entity (to them) began scanning them without permission. We
initially tried to address this case by case and later contacted the ORBS
administrators and requested this unwelcome scanning terminated. This is
analogous to someone requesting they be removed from a list that they did
not subscribe to. With this request, all Road Runner IP space was
unexpectedly added to the ORBS list with a public statement on the ORBS
WWW site, as well as the bounce message which our subscriber has
received. As scanning continued against our repeated requests, the
individual ORBS scanning hosts were filtered out of our network.

Although we strongly believe in stopping SPAM on the Internet, as well as
respect the initial work and charter ORBS has been under in the past, we
have serious concerns at the current methods and actions that are taking
place:

e.g.
- Scanning of private networks without permission from targets
- No REMOVE capability from the ORBS scanner
- When someone tries to stop or block the ORBS scans, they are blocked by
ORBS.
- No warning, as well as false public statements about the individuals
scanned or their provider. THAT IS: If you have a relay (known, or
unknown to you) you are called a SPAM supporter publicly without any
warning to correct it before ORBS adds you.
- Misinformation on ORBS' own web site
(http://www.orbs.org/whatisthis.html) "What is ORBS? The short answer:
ORBS is a validated database of open mail relays and open mail relay
output points, accessable via DNS lookup."
- The addition of Road Runner hosts to a "secret" database. Road Runner
hosts are not listed via their normal web lookup at
http://www.orbs.org/verify_1.html

Road Runner believes strongly in the fight against SPAM. We have address
it with strong policies, enforcement and our own relay detection methods.
We will continue this effort, work together with other providers and the
Internet community (including ORBS) to make a difference. However, we
reserve the right to assess the methods used, by whom and determine the
best way to accomplish the desired results for our business.

Can't find any AOL's SMTP server listed by ORBS...

[airgee]

Right now, 22:40 UTC, no AOL server is listed by ORBS. I mean, no MX for the domain aol.com is listed by ORBS. Maybe an AOL's client is listed by ORBS, but certainly not the entiere aol.com domain.

# host -t MX aol.com
aol.com mail is handled (pri=15) by yh.mx.aol.com
aol.com mail is handled (pri=15) by za.mx.aol.com
aol.com mail is handled (pri=15) by zb.mx.aol.com
aol.com mail is handled (pri=15) by zc.mx.aol.com
aol.com mail is handled (pri=15) by zd.mx.aol.com
aol.com mail is handled (pri=15) by yb.mx.aol.com
aol.com mail is handled (pri=15) by yc.mx.aol.com
aol.com mail is handled (pri=15) by yd.mx.aol.com
aol.com mail is handled (pri=15) by yg.mx.aol.com

Ok, each entry is a round-robin alias with 4 IPs.
With a bit of typing and http://www.xnet.com/~emarshal/rblcheck/, I verified that no IP listed by this simple query is actually listed in ORBS database, or at least the database which can be queried by the standard RBL DNS hack.

# host za.mx.aol.com >> foo
# host zb.mx.aol.com >> foo
etc...
# echo "bla 127.0.0.2" >> foo
(this is to check the script below)

(script named "bar")
#!/bin/sh
rblcheck -q -c -s relays.orbs.org $1 1>/dev/null 2>/dev/null
echo $? : $1

# sed 's,.* \([0-9.]*\)$,\1,g' foo | xargs -n1 ./bar
("0 : " == not listed in ORBS
"1 : " == listed in ORBS)
0 : 152.163.224.3
0 : 152.163.224.4
0 : 152.163.224.5
(...etc...)
0 : 205.188.157.1
0 : 205.188.157.2
1 : 127.0.0.2

ORBS is NOT a "Black Hole"

[handorf]

You can just use ORBS to flag potential spam.

From their What is this? [orbs.org] Page:

ORBS is NOT a "black hole" - we do not disseminate routing information causing included hosts to be
unreachable from portions of the Internet. Running an open relay is usually accidental and those admins who
continue to run open relays after being warned about it by ORBS and/or other entities will eventually find
themselves in the MAPS RBL - which is a "black hole" and is used by at least 40% of the mail servers on the
Internet.

ORBS tracks these systems so that people operating mailservers subscribed to our database can block
e-mail coming from open relays until such time as they are fixed to no longer permit third-party SMTP relay.

Admins may alternatively set their systems up to tag messages delivered from open servers as "possibly
spam", or just log the connections. What any admin does is entirely up to that admin. If you've been blocked
from delivering mail and given a pointer to this site please note: It is the decision of the administrator of the site
which blocked you to disallow mail from open relays. Those open relays must comply with that admin's rules
(not ours) in order to deliver mail to that site - we're just verifying to the admin whether a host is an open relay
or not.

I hope this is true

[DrSkwid]

despite the fact that it's great fun watching people find outlets for their high horse talk, heck I'm one of 'em.

I've never used AOL or had any problem with any of it's users. What I do know is that it's using it's muscle in the UK for force down the price of access. They are attempting to expand in the UK not by simply wooing competitors customers but by expanding the market. In this way even maintaining market share - or even losing some - is still a win. When players such as Freeserve haven't turned a profit but derive their huge revenue from bloated cost of access they are still vulnerable to the next wave.
AOL was the first major company to move to a 1p a minute 24 hour access. Previously it was 4p per minute for daytime modem access (8am-6pm). Others have quickly followed (ntl: for instance) and now we are beginning to see flat rate 24/7 access finally arrive.
The UK is finally going to come alive net wise so expect plenty more AOL users to come aboard.
.oO0Oo.

I'm on the blacklist, and likely to stay there...

[Anonymous Coward]

[posting anonymously for obvious reasons]

Our company's primary mail server has been in the ORBS database for a long, long time... We made the choice (mistake?) of choosing a closed-source, commercial mail package running on Windows NT Server instead of something open (like Sendmail or Qmail). I've been regretting it ever since...

Our relay is partially open - it allows relay only if the sender's e-mail address or at least one recipient's e-mail address is from a locally-hosted domain. Not the most secure method, perhaps, but it seems to be enough extra work that spammers simply find a wide-open relay and use it instead of us.

Originally, we had a completely open relay, but after a few incidents where our server was used by spammers, we paid (through the nose) for an add-on option to our mail server to allow this selective relay ability. During one of these incidents, we were added to the ORBS database. And once you're in the ORBS database, you never, ever, ever get out, even if you're clean.

We passed the ORBS test with flying colors after getting the selective relay option working on our system... until about a year later, ORBS put us back in the database, after adding a couple new tests. One of the tests (NULL sender envelope) got through our system, and we were once again considered an "open" relay.

About that time, our mail server vendor had just released a new version of their software, including a fix for the problems ORBS detected. And it was bargain priced - only $1,500 US to upgrade to version 4.0! And hey - that "unlimited" domain hosting option we paid for? Sorry, not available in version 4.0, we'll have to pay-per-domain. Oh, and we'll have to pay extra to upgrade the anti-spam option we already paid $800 extra for just a few months ago.

This is turning into a ramble... I guess my point is, thanks to needing to have a partially open relay to support our remote and traveling users (quite a large number) and getting screwed over by our software vendor, we're now considered an "open" relay. So far, in the past six months or so since we were re-classified as open, we haven't had a single message bounce back to us, and we haven't had a single incident of spammers hijacking our server... but it still drives me nuts thinking that our server is in a blacklist.

I've been looking at a few options, such as the new authenticated SMTP options available in Sendmail and Qmail, but realistically? If it's not causing us a problem (i.e. bounced/blocked mail) then it's not high enough on our priority list to allocate the time and resources required to do it right.

And that's why I'm on the blacklist, and likely to stay there for the foreseeable future...

No surprises here...

[seebs]

ORBS has, for quite a long time, been a list of "open relays, sites that object to being port-scanned, systems whose admins irritate the ORBS admins, systems that block port scans", and the like.

Really, they're jerks, and you should *NOT* use them to filter mail, unless you particularly think that everyone in the world has a moral obligation to let some guy run relay-rape attempts on their servers any time he feels like it.

I like MAPS. I don't like ORBS.

Re:I'm on the blacklist, and likely to stay there.

[IIH]

There's a much better way to do this. I modified our POP server at a previous employer such that it placed an IP on an approved relay list for up to two hours after a valid authentication

I have also this set up, but there is one problem. People dial up check their email, fine, and disconnect. Then they compose replies and reconnect (Ususally with a different IP, of course :( Alas, Outlook attempts to send email before it checks, so all those replies would be rejected. (It only has a send/recieve button, not two different "check" and "send" buttons) So, now they all have a little app that does a pop3 login, which they have to run before sending anything.
--

Why AOL was put in ORBS (I know... I did it)

[scrain]

AOL has some new machines in place to redirect part of what would normally be the dialup (*.ipt.aol.com) mail traffic through machines where we can monitor the volume to control spam. We're just testing it at the moment, and these redirection proxy machines are the ones listed in ORBS, with my support and permission. AOL's dialups have been listed in ORBS and the MAPS DUL for a long time, because well, lots of mail shouldn't come directly from dialups to someone else's mailserver.

Now what're y'all gonna say, when ya find out that AOL added those machines to ORBS for your own good.

Scott Crain
AOL Mail Operations

AOL on ORBS list

[multipartmixed]

This is actually quite frustrating. As a consumer, I strongly dislike AOL. However, they have a huge share of the North American e-mail market. I am trying to convince my superiors to let me start refusing mail based on ORBS and MAPS RBL queries, but denying a large volume of legitimate mail (as the case would be with AOL on the ORBS list) actually puts us in a situation where our customers would be complaining that they can't get their e-mail. O, woe is me. Is there a solution to this conundrum? I don't for one minute believe that AOL gives a rat's ass about open relays, or what list they are on -- after all, they are used to being hated. Hrmp.

--