Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

ORDB.org Going Offline

Hemos posted more than 6 years ago | from the the-end-of-the-road dept.

Networking 156

Allan Joergensen writes "ORDB.org has announced that they will shut down their services after fighting open relays and spam for more than five and a half years. The RBL DNS service and mailing lists will be taken down today (December 18, 2006) and the website will vanish by December 31, 2006." The reasons given tend to be the usual ones - volunteers have been focused on other things in life; my salute to those folks for keeping the service up as long as they did.

cancel ×

156 comments

Sorry! There are no comments related to the filter you selected.

I'll miss' em (2, Interesting)

laughing rabbit (216615) | more than 6 years ago | (#17287848)

Even though it took a long time to get my own domain off their list after I left a mis-configured server out in the wild, I really appreciate all they have done over the years. Who will take up the mantle next?

Re:I'll miss' em (3, Insightful)

dreddnott (555950) | more than 6 years ago | (#17288194)

I happened to run into an accidental open relay mail server during an onsite consultation (I ended up completely restructuring their deployment and getting ripped off). Most of the MILLIONS of e-mails were coming from China and/or Taiwan, and this was only a few months ago. Are the ORDB people sure they're not going to bring back the open relay problem by shutting down their admittedly useful services?

While the cancer of spam may have metastasized to other parts of the Internet, it doesn't mean it can't grow back in the places these guys are abandoning. As I understand it, there are other blacklists but nothing quite like the ORDB.

Re:I'll miss' em (3, Funny)

Anonymous Coward | more than 6 years ago | (#17288646)

Imagine one day, Slashdot.org would shutdown too. Can't think of the consequences...

We regret to inform you that slashdot.org, at the ripe age of 8 and a half, is shutting down. It's been a case where all the comments were either too +5 Linux or -5 Microsoft or too insightful that the moderators had to mod it "+2 BSD". Also very little work has gone into maintaining our Mysql database. We should have switched to MS SQL Server long back.
This caused our readers to get pre-occupied with the only other aspect of their lives, namely porn. In addition, the general consensus within the team is that open source technology is no longer the most effective way of preventing windows from entering your next door cute girl's desktop.

...where would all the nerds go?

Re:I'll miss' em (1)

Per Abrahamsen (1397) | more than 6 years ago | (#17288740)

Isn't it just to enter your domain (IP) in a form, and press "submit for testing"?

I vaguely remember doing that once, after my ISP refused to accept my outgoing mail, because they had assigned me an IP that had previously been used for an open relay.

Re:I'll miss' em (1)

clark0r (925569) | more than 6 years ago | (#17289972)

Are you sure that's what your ISP did? I wasn't aware that ISPs ban email on port 25 for IP addresses that have previously been open relays. Most ISPs offer their own mail services of SMTP/POP3 (eg @ntlworld.com addresses). If they stopped all of your outgoing mail through their servers, then you wouldn't be able to use your ISP supplied mailbox! On the other hand, this is the UK. Most of our ISPs aren't too restrictive on what you do with your Internet connection.

Re:I'll miss' em (1)

Per Abrahamsen (1397) | more than 6 years ago | (#17290254)

I could read mail on my ISP mail account (pop3), but I could not use them as my mail relay (smtp).

Re:I'll miss' em (0)

Anonymous Coward | more than 6 years ago | (#17289830)

Took me a long time to get off their list even when I was properly configured. Big hassle, angry clients. I will not miss their brand of vigilante action. Good riddance.

The reasons (5, Informative)

jginspace (678908) | more than 6 years ago | (#17287894)

The reasons are, expanding from TFA: "open relay RBLs are no longer the most effective way of preventing spam from entering your network as spammers have changed tactics in recent years, as have the anti-spam community."

I concur.

Re:The reasons (1)

MztrBlack (35164) | more than 6 years ago | (#17287978)

Truth. I'm down to about one spam in a thousand that's coming from a (known) open relay on my mail server. Doesn't mean spam is any less, just that RBLs aren't serving the purpose they once did.

Re:The reasons (3, Informative)

BenFranske (646563) | more than 6 years ago | (#17288028)

Which is nearly what they said in the article:
We encourage system owners to remove ORDB checks from their mailers immediately and start investigating alternative methods of spam filtering. We recommend a combination involving greylisting and content-based analysis (such as the dspam project, bmf or Spam Assassin).

Re:The reasons (1)

LoadWB (592248) | more than 6 years ago | (#17288760)

Their statement is exactly the reason why I have been migrating away from DNSBL use solely, and modified my "no whitelist" policy -- DNSBLs are useful, but by themselves lack effectiveness.

In the case of ORDB, out of a couple hundred thousand email rejections last week, only five were due to an ORDB listing. In my configurations, ORDB is fourth in line to other DNSBLs, like the SBL/XBL, which catch a good 73% of crap before ORDB even has a chance.

Many thanks to them for the work over the years.

Blacklists are usefull... (0)

Anonymous Coward | more than 6 years ago | (#17290146)

For adding a few points in SpamAssassin. Other than that, don't rely on it.

Re:The reasons (0, Redundant)

Bazer (760541) | more than 6 years ago | (#17288052)

"Me too."

Fix that for ya.

Apart from that. What's the best way to fight spam today?

Re:The reasons (0)

Anonymous Coward | more than 6 years ago | (#17289400)

Greylisting.

Greylisting? (1)

jrobinson5 (974354) | more than 6 years ago | (#17291700)

Greylisting? Pfft, purplelisting is where it's at.

I wonder... (4, Insightful)

jfengel (409917) | more than 6 years ago | (#17288074)

If the RBLs go offline, will spammers shift back to using open relays? I suspect not; the bot-nets are harder to stop and, from the spammer's POV, probably more reliable. The dark side of distributed, highly redundant networks.

Still, it's pretty nice to think that they're going offline because they've largely solved the problem they were fighting. It's like declaring smallpox or polio extinct. And if they come back, we'll remember the formula.

Re:I wonder... (1)

pla (258480) | more than 6 years ago | (#17288302)

Still, it's pretty nice to think that they're going offline because they've largely solved the problem they were fighting.

I wish I could agree with that sentiment, but I'd call it a closer analogy to say that the disease gained immunity to the best known antibiotic so far and further use of it just wastes resources better spent elsewhere.

The governments of the world need to make it legal to hunt down and torture spammers and their extended families to death. Until then, they will always find ways to fill our inboxes with garbage.

Re:I wonder... (4, Funny)

Anonymous Coward | more than 6 years ago | (#17288486)

The governments of the world need to make it legal to hunt down and torture spammers and their extended families to death

Your post advocates a

( ) technical ( ) legislative ( ) market-based (x) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
(x) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

(x) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
(x) Joe jobs and/or identity theft
(x) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

(x) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
(x) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
(x) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

Re:I wonder... (0)

smaddox (928261) | more than 6 years ago | (#17289334)

Yeah, but that means you had to come up with about 30 phrases that didn't apply to the suggestion. Your just not lazy enough to exist here on slashdot.

Re:I wonder... (3, Informative)

nuzak (959558) | more than 6 years ago | (#17289510)

http://www.craphound.com/spamsolutions.txt [craphound.com]

He didn't invent the list. That's the kind of laziness we're looking for.

He even used it for the checklist's intended reason -- as satire. EVERYTHING fails somewhere on that list.

Re:I wonder... (1)

fullphaser (939696) | more than 6 years ago | (#17290562)

Furthermore, this is what I think about you: (x) Sorry dude, but I don't think it would work. ( ) This is a stupid idea, and you're a stupid person for suggesting it. ( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!
I am afraid the correct responce to a vigilante is always
(X) Nice try, assh0le! I'm going to find out where you live and burn your house down!

Re:I wonder... (0)

Anonymous Coward | more than 6 years ago | (#17291176)

I am afraid the correct responce to a vigilante is always
(X) Nice try, assh0le! I'm going to find out where you live and burn your house down!


And as always, there's an "Internet Tough Guy" willing to show his ass.

Please.. I suspect most vigilantes have quite a bit more in the balls department than you do.

SORBS (3, Insightful)

Spazmania (174582) | more than 6 years ago | (#17287998)

Now if extortionist SORBS would die, the anti-spam communinity could refocus on dealing with actual spammers. SORBS never was a pillar of responsibility but the current practice of "dontate to a SORBS-approved charity to get off the list" is just plain wrong.

Re:SORBS (3, Informative)

GigsVT (208848) | more than 6 years ago | (#17288614)

Don't forgot the "we blocked you because you used the wrong ISP" people, SPEWS.

Re:SORBS (2, Interesting)

gclef (96311) | more than 6 years ago | (#17288804)

SORBS has one useful list: the dial-up DNS blacklist (spare me the diatribes about being able to send mail from a dynamic address. I know the arguments, but the benefit doesn't outweigh the cost of the spam coming from that address space).

I'm not willing to pay Trend Micro for access to what used to be MAPS for my one, small domain, and I haven't found anyone other than SORBS offering a collection of dial-up addresses as a DNS blacklist. If there are other, reliable, dial-up blacklists, I'd love to hear about them.

Re:SORBS (1)

benoitg (302050) | more than 6 years ago | (#17288994)

If people taking this stance would at least bounce the email, it wouldn't be quite so bad. Right now a lot of people don't, and those running their own mailservers do not even know when a message will not reach the intended recipient because their IP address wasn't "expensive enough".

Re:SORBS (1)

misleb (129952) | more than 6 years ago | (#17289386)

Problem with sending bouncebacks is that you can end up causing just as much of a problem as you are solving. If you bounceback messages to forged senders, you are effectively spamming people. One has to be careful about which messages are just dropped and which are bounced back. If you reject blacklisted IPs at the SMTP level, you should always get a bounceback. But if messages are "scored" based on blacklists, you may not get a bounceback if it scores to high...

-matthew

Re:SORBS (1)

CFrankBernard (605994) | more than 6 years ago | (#17290130)

He may already realize that. I've seen lots of people use the terms "bounce" and "drop" to refer either during delivery (in-session with connecting/source IP address) or else after DATA / message delivery. The former is of course the best. The sending server should be configured to copy the whole SMTP error ("bounce") message to the sender's inbox.

Re:SORBS (1)

gclef (96311) | more than 6 years ago | (#17289452)

The default behavior on the SMTP servers I've worked with (sendmail and exim4) is to reject the mail before the DATA segment if the source is listed in a DNSBL...so you should be getting bounces from most organizations that do this (that's certainly how mine's working).

Re:SORBS (0)

Anonymous Coward | more than 6 years ago | (#17289642)

In other words, please stop breaking the internet by supporting the idiots at SORBS.

Re:SORBS (1)

Secrity (742221) | more than 6 years ago | (#17290270)

The cure to this problem is for you to use your ISP's mail relay (or any other mail server that isn't using a dynamic IP address; which is usually residential grade internet service). I run a mail server for a rather large company and the server is configured to reject SMTP connections from dynamic IPs, which prevents quite a bit of spam -- and the sender is aware that the mail has been rejected.

Re:SORBS (1)

dodobh (65811) | more than 6 years ago | (#17290330)

dynablock.njabl.org

Re:SORBS (1)

chris mazuc (8017) | more than 6 years ago | (#17291052)

Blocking dynamic IPs is wonderful... unless you are unlucky enough to inherit an old dynamic subnet. I've spent the last three weeks getting off of almost every blacklist on the planet.

Already offline? (2)

The Blue Meanie (223473) | more than 6 years ago | (#17288024)

If they've already shut down, I guess that explains the rather sudden and rather LARGE increase in spam I had sitting in my various mailboxes waiting for me this morning. :(

Can anyone suggest a good alternative? I'm using spamhaus, sorbs, and uceprotect at the moment, and no, I won't use spamcop. ordb HAD been an excellent fourth.

Re:Already offline? (-1, Redundant)

BenFranske (646563) | more than 6 years ago | (#17288086)

Yes. Stop using RBLs, they're much less useful than in the past. See the article:
...open relay RBLs are no longer the most effective way of preventing spam from entering your network as spammers have changed tactics in recent years, as have the anti-spam community.

We encourage system owners to remove ORDB checks from their mailer immediately and start investigating alternative methods of spam filtering. We recommend a combination involving greylisting and content-based analysis (such as the dspam project, bmf or Spam Assassin).

Re:Already offline? (4, Insightful)

Aladrin (926209) | more than 6 years ago | (#17288238)

Yes, we get that. He doesn't WANT TO.

I haven't seen BadAnalogyGuy lately, so I'll have to do his job I guess:

Slapping mosquitos is not the most effective way of killing mosquitos, but I'm not going to ignore the ones sucking my blood simply because sprays, candles and electric noises work better.

'Not best' is not the same as 'not useful.'

Re:Already offline? (1)

The Blue Meanie (223473) | more than 6 years ago | (#17288458)

Thanks. Couldn't have said it better myself.

See the many postings below this about how many people are blocking thousands of mails at the front door BEFORE subjecting them to resource-intense or flaky at best filtering solutions.

And my original question still stands.

ASSP (1)

goldcd (587052) | more than 6 years ago | (#17288828)

I started using Blacklists, but always ended up in a mess. Stuff still got through, so you'd add another blacklist and then one would randomly start blocking gmails 'to teach google a lesson' etc.
ASSP installs nicely (I'm actually running it on MS Server with hmailserver) and does what it says on the tin. Takes a week or so to train it up, but once it's up it easily gets 99% of all spam, tags it and then my mail server shoves it into my users junk folders.

Re:Already offline? (1)

dodobh (65811) | more than 6 years ago | (#17290424)

Which spamhaus list? The sbl-xbl is rather good. You might want to block email addresses with ' and non FQDN HELOs as well.

Re:Already offline? (2, Informative)

Incadenza (560402) | more than 6 years ago | (#17290518)

Here's my set-up (old-style Postfix config). No false positives in five years, so these are pretty reliable (and from the comment the I must have written myself, ordb has been of my list for quite a while):

maps_rbl_domains =
list.dsbl.org,
sbl-xbl.spamhaus.org,
hil.habeas.com,
dul.dnsbl.sorbs.net,
dynablock.njabl.org

# Not enough hits to justify keeping them in the list

# relays.ordb.org
# opm.blitzed.org
Also, for RBL's that might not be 100% reliable, there is a simple to way to add them to your spamassassin setup (/etc/mail/spamassassin/local.cf), as I have done for PSBL:

# http://psbl.surriel.com/howto/

header RCVD_IN_PSBL eval:check_rbl('psbl', 'psbl.surriel.com.')
describe RCVD_IN_PSBL Received via a relay in PSBL
tflags RCVD_IN_PSBL net
score RCVD_IN_PSBL 0 1.00 0 1.00

Re:Already offline? (0)

Anonymous Coward | more than 6 years ago | (#17291368)

Well according to them they will shutdown December 18,2006 and they are in Denmark so it is technically down. The large spike of spam has being going since October 2006 and shows no signs of slowing down.
Back to the RBL I had this running until June 2006 when Google changed it smtp servers to send mail anonymously via some former spammer's IP address so I need to turn this service off. When I turn all of these service off but left them as part of the spamassassin's point calcuation my spam when off the deep end. It is pain for me and other mail administrators to have Google do this to us.

Re:Already offline? (1)

Onymous Coward (97719) | more than 6 years ago | (#17291590)

We must receive spam from radically different sources. (Which can't be the case, really.) Here's stats for back in October for performance of my then-configured 3 block lists:
    of 1609 total RBL rejections (for one week):

            94.0% DSBL (1514 blocks)
              5.7% Spamhaus SBL (92 blocks)
              0.1% ORDB (3 blocks)

+3 spam a week is obviously not a flood. I even had ORDB listed as the first DNSBL to check (sorry for the load, ORDB guys).

So ORDB hasn't been serving me for some time.

(Thanks to anyone about to recommend CBL/XBL, I'm already investigating.)

Omnipotent awareness... or not (2)

RingDev (879105) | more than 6 years ago | (#17288082)

I guess some of these groups have a rather large following, but how about actually linking to their page or to a wiki that describes what they do? For those of us lazy American's too lazy to cut and paste.

-Rick

Re:Omnipotent awareness... or not (2, Informative)

BenFranske (646563) | more than 6 years ago | (#17288138)

Maybe this will clarify [nyud.net] what they do.

Re:Omnipotent awareness... or not (1)

brufar (926802) | more than 6 years ago | (#17290456)

This is a large list of the different blacklists available with a short blurb about how they operate, if they are free or fee based, and a link to each site. http://shopping.declude.com/Articles.asp?ID=97 [declude.com]

182 working spam databases listed. 254 total spam databases listed. About 681 represented, including country databases. List of All Known DNS-based Spam Databases. The most common way of detecting spam is by using spam databases (blacklists, sometimes incorrectly referred to as RBLs, since RBL is trademarked by MAPS) that list the addresses of mail servers known (or believed) to send spam.

Thank god for dead RBLs (-1, Troll)

Anonymous Coward | more than 6 years ago | (#17288124)

Fuck their censorship and fascist vigilante tactics. We don't need that bullshit on the internet.

Good case why not to trust "community" services? (4, Insightful)

xxxJonBoyxxx (565205) | more than 6 years ago | (#17288174)

Is this a good case why it's not generally a good idea to put any long-term trust in "community" services like this?

The RBL DNS service and mailing lists will be taken down today (December 18, 2006) and the website will vanish by December 31, 2006.


Thanks - that's not even two weeks notice.

The reasons given tend to be the usual ones - volunteers have been focused on other things in life


More likely, they woke up one day and figured out they were sick of eating Ramen noodles while being taking for a ride by commercial leeches who never kicked back.

Re:Good case why not to trust "community" services (0)

Anonymous Coward | more than 6 years ago | (#17288232)

commercial leeches that never give back - that's why free software is dying and will NEVER work as a "business" model.

Re:Good case why not to trust "community" services (2, Informative)

Salsaman (141471) | more than 6 years ago | (#17288854)

You have a point, but Free Software is hardly "dying" ! That's a ridiculous claim to make. *More* Free Software is being produced and used today than ever before. Just take a look at Freshmeat or Sourceforge.

Of course, if commercial organisations did wake up and realise they have a responsibilty to help support developers whose software they use, then probably developers would have a more comfortable lifestyle, and project development would become more professional and better organised.

Also, software is different from a web service. If a developer abandons a Free Software project, the code is still out their for somebody else to build on, or perhaps the original developer will return to it after taking a break.

Re:Good case why not to trust "community" services (1)

dreddnott (555950) | more than 6 years ago | (#17288304)

They did provide the service free of charge for over five years if I'm not mistaken.

Still, you have a point. The same thing happens with other community-based products. An excellent example, although it might seem a bit puerile, can be found in pretty much every video game mod forum. There is either drama, or real life, or a new game in the series comes out, and *poof*, the mod, if it even reached a downloadable version, goes out the window and people are not even given the opportunity to "take up the mantle" as the first post said.

I have to suspend my disbelief a little bit to believe that nobody on the Great Intertron was willing to do this and at least occasionally maintain ORDB as a legacy service. I do understand, of course, the necessity of promptness in removing fixed mail servers from the list, although that wasn't really very prompt in practice, was it?

Re:Good case why not to trust "community" services (1)

uglydog (944971) | more than 6 years ago | (#17289064)

Thanks - that's not even two weeks notice.

That's great, isn't it? Much better than "this needs to be handled by the end of the day." Gosh, they gave us TWO weekends! Seriously, yeah it's short notice, but plenty of time for a quick workaround while coming up with a premanent replacement, if you even think it's necessary.

it's not generally a good idea to put any long-term trust in "community" services like this?

True dat.

Re:Good case why not to trust "community" services (1)

ACMENEWSLLC (940904) | more than 6 years ago | (#17290198)

I removed my server from checking them today. For grins, I went back a week to see how many uce's they blocked. I did not find one.

Anyone else notice this?

Re:Good case why not to trust "community" services (3, Informative)

mephistus (217351) | more than 6 years ago | (#17290834)

As far as community services go, I always put ORDB in the category of "means well, but a half assed effort." I inherited a job taking care of the mail servers at a company I used to work at, and I came to find out that we had an open relay and had been blacklisted. If memory serves me right, I want to say this was almost 5 years ago.

How did I come to find out that we had an open relay? Did ORDB notify us? Hell no. They just slapped us on their list, and our users started getting bounce messages from other mail servers. I fixed the problem quite easily once I knew about it, but the biggest problem was getting off the list!!! That was a whole other nightmare take took longer than hearing about the problem and fixing it.

So I say good riddance. Those guys are pretty bright and meant well, but my experience with them left me with a very bad impression. Hopefully they were more professional in recent years, but from the way they're ending their service, it sure as hell doesn't seem like it.

Re:Good case why not to trust "community" services (3, Informative)

scoof (2459) | more than 6 years ago | (#17291760)

ORDB always attempted to notify the administrators of listed servers, several variations on the postmaster@server would have been sent and ignored by the people maintaining the server before you.

Re:Good case why not to trust "community" services (1)

scoof (2459) | more than 6 years ago | (#17291834)

The zone has been emptied, so nothing will break due to the shutdown of ORDB.

Are RBL's really finished (4, Interesting)

Albanach (527650) | more than 6 years ago | (#17288244)

We, and many others, still use RBLs as a front line tool to stop spam. Generally it'll stop several thousand emails a day from even entering the mail system.

Spamassassin is great, we have sever custom rules and find it very effective. However it is resource intensive, especially if you are to add features like OCR detection of image spam.

Is it really the case that folk should be accepting all this traffic from known open relays and then spending processor cycles analyzing it?

Is there a middle ground? Some third way that lets lets you reject as much as possible at the start of the SMTP transaction? Greylisting is certainly an option but it presents significant problems too - many companies simply won't respond. Automatic emails will be missed, signup to websites becomes problematic etc etc. What, if any, are the other options?

Re:Are RBL's really finished (0)

Anonymous Coward | more than 6 years ago | (#17288572)

Is there a middle ground? Some third way that lets lets you reject as much as possible at the start of the SMTP transaction?

Sendmail Reject List

If I find a DHCP or dial-up pool spamming me, I place the pool on the Sendmail Reject List and *POOF*, there is one less trouble spot.

Re:Are RBL's really finished (4, Insightful)

LodCrappo (705968) | more than 6 years ago | (#17288598)

We block tons of spam simply by requiring the sending server to strictly follow RFC 2821. A HELO name that follows the rules seems particularly difficult for the spammers to configure. Non FQDNs on the sender, recipient or hostname... sending domains that don't even exist in DNS, servers using your domain name or your IP address and their HELO... a whole variety of strange things that only spammers (and once in a while really bad sysadmins) do. Then you can go a step further and require that someone's sending domain actually have dns properly setup for mail delivery (a "you can't mail me if I can't mail you" kind of thing).

Also, some grey listing systems are better than others. One that really works well for me is sqlgrey http://sqlgrey.sourceforge.net/ [sourceforge.net] Sqlgrey comes with a fairly decent list of servers to exclude due to their inability to properly follow specs, so you don't lose mail from most of the broken but nonspammer servers. This list is also updated automagically and seems to work pretty well.. makes greylisting actually usable, for us at least.

P.S. Don't want to start any holy wars, but if you're trying to fight mail and want a system thats easy to config and just works, postfix is a really great mail server.

Re:Are RBL's really finished (1)

TubeSteak (669689) | more than 6 years ago | (#17289140)

Any chance you can explain how I get e-mails where my address never shows up in the e-mail header?

Received: from basp34 (unknown [10.10.101.71])
        by mailgate.buysell.com (Postfix) with ESMTP id xxx
        for checkmeout105@hotmail.com

From: WickedGifts Postmaster@BuySell.com
To: checkmeout105@hotmail.com
My address is not checkmeout105@hotmail.com, but that's who it seems the e-mail was addressed to.

Re:Are RBL's really finished (2, Informative)

LodCrappo (705968) | more than 6 years ago | (#17289280)

well we are way off topic here, but this can happen for several reasons. first off, anything in the headers can (and often is) completely fake. Second, there is a big difference between the "To:" field in a message's headers and the SMTP envelope RCPT TO: address. If you're geniunely interested, I'd suggest looking at RFC 2821 and 2822 which are free online, or maybe skimming a book on SMTP.

HTH

Re:Are RBL's really finished (1)

good soldier svejk (571730) | more than 6 years ago | (#17289652)

Much like a physical business letter, SMTP messages have an envelope and a header. The envelope information is used for routing, just like the US mail, while the header information is what you see in your message just like the header on your business letter. So what you see in your client is totally arbitrary and has no effect on delivery.

Re:Are RBL's really finished (1)

swillden (191260) | more than 6 years ago | (#17290700)

Much like a physical business letter, SMTP messages have an envelope and a header.

Thanks for both enlightening me *and* making me feel like an idiot. Your analogy struck me as such a perfect one, and then I realized it's also an utterly obvious one. I've discussed SMTP envelopes before, but never thought to follow the analogy through to consider the mail headers as equivalent to the headings on a paper business letter. Duh!!! So obvious. Hit me like a bolt out of the blue, though.

Thanks again!

Re:Are RBL's really finished (1)

Onymous Coward (97719) | more than 6 years ago | (#17290852)

So, yeah, they'll tell you that the headers can be forged. This is true except for the last hop which should be your MTA.

So why doesn't your address show up in the "for" clause of the last hop? I don't think you'll see a fake address there, but where's your real address? I think in certain conditions your MTA will omit the "for". I don't know when that happens, but I've seen the "for" clause missing from the last hop on rare emails. I can't figure out the pattern.

(I use Postfix.)

Re:Are RBL's really finished (1)

Namegduf Live (910658) | more than 6 years ago | (#17290370)

Non FQDNs on the sender, recipient or hostname...
Most spam does not fail FQDN checks. You could consider it "yet another check...", catching some but not all mail, making there be less to check, but it has false positive problems that cause problems in this regard. I am in fact staff on an IRC network while has been forced to require an email check for nickname registration, and we have problems with mail servers rejecting our mail in some cases because of FQDNs problems. Others, like Gmail, accept it and it arrives instantly.

It isn't my area of knowledge but I'm assured that getting a FQDN isn't possible with our shell hosting, and these unnecessary filters creates a LOT of pain for users and staff who then must personally email the person to verify the email.

Is this a good idea if it hits false positive problems, and misses quite a lot anyway? Other checks would catch most spammers failing FQDN, and the number of false positives to spammers blocked who otherwise wouldn't be seems quite high.

Is FQDN supposed to be required for email servers?

Re:Are RBL's really finished (1)

Onymous Coward (97719) | more than 6 years ago | (#17291436)

My mailer only checks syntax of the hostname for FQDN-ness, not validity of the hostname. And it only does a loose interpretation of FQDN-ness syntax.

(We're talking about the hostname in the SMTP HELO/EHLO, if there's any question.)

That is,
    "foo" is not a FQDN by these measures
    "foo.bar" is FQDN by these measures
    "foo." is FQDN by these measures

No checks are performed for existence of any records (A, MX, or even NS) for the given domain. (I think there may be some misunderstanding as to what FQDN is.)

A technically complete FQDN (terminated by root zone '.') is not required (by my MTA).

And still this comprises 37% of total rejected spams on my server. Even more (potentially "most") if you dismiss the no-such-recipient rejections.

(FQDN requirement: RFC 2821 2.3.5)

Re:Are RBL's really finished (1)

LodCrappo (705968) | more than 6 years ago | (#17291558)

Non FQDNs on the sender, recipient or hostname...
Most spam does not fail FQDN checks.

uhh... what?? Tons of spammers fail these checks. Compromised Windows boxes acting as spam zombies almost always fail these checks, and as have increasingly becoming a major source of spam over the last couple years, these types of checks have become more and more effective. On the largest mail system I have access to stats on (about 200k messages per day) these checks blocked about 20% of all mail yesterday.

You could consider it "yet another check...", catching some but not all mail, making there be less to check, but it has false positive problems that cause problems in this regard. I am in fact staff on an IRC network while has been forced to require an email check for nickname registration, and we have problems with mail servers rejecting our mail in some cases because of FQDNs problems. Others, like Gmail, accept it and it arrives instantly.

It isn't my area of knowledge but I'm assured that getting a FQDN isn't possible with our shell hosting, and these unnecessary filters creates a LOT of pain for users and staff who then must personally email the person to verify the email.

Is this a good idea if it hits false positive problems, and misses quite a lot anyway? Other checks would catch most spammers failing FQDN, and the number of false positives to spammers blocked who otherwise wouldn't be seems quite high.

Sounds like sour grapes to me. Anyone who is telling you it isnt possible to configure your mail server correctly probably just doesn't understand how to do it.

Is FQDN supposed to be required for email servers?

Yes. Check out RFC 2821, section 4. And maybe take note of how many other people posted replies to this story suggesting the exact same types of strict checking for compliance with the standards. If you don't fix your server, expect the rejections to increase as more and more servers start requiring that mail server admins get their acts together.

Re:Are RBL's really finished (3, Informative)

Sentry21 (8183) | more than 6 years ago | (#17288612)

On my server, I use greylisting and RBLs, as well as other checks. In the span of one week, we received 128,000 e-mail attempts, 5000 of which were successful. The checks below block huge amounts of spam, to the point where I've actually removed spamassassin because the only messages it gets a chance to check are all legitimate.

For anyone who's wondering, here's what we've got going on, plus amavisd/clamav doing virus scanning. This blocks all spam I get (used to be 30-200 messages per day that Spamassassin would catch).

smtpd_recipient_restrictions =
    reject_non_fqdn_hostname,
    reject_non_fqdn_sender,
    reject_non_fqdn_recipient,
    reject_invalid_hostname,
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination,
    reject_unauth_pipelining,
    reject_rbl_client opm.blitzed.org,
    reject_rbl_client list.dsbl.org,
    reject_rbl_client bl.spamcop.net,
    reject_rbl_client sbl-xbl.spamhaus.org,
    reject_rbl_client dynablock.njabl.org

Re:Are RBL's really finished (1)

morgandelra (448341) | more than 6 years ago | (#17290564)

wow, I would kill for that light a load :) I get 150,000-300,000 attempts a day and I only have 2000 email accounts on my servers.

Re:Are RBL's really finished (1)

morgan_greywolf (835522) | more than 6 years ago | (#17288680)

Is there a middle ground? Some third way that lets lets you reject as much as possible at the start of the SMTP transaction?


A big one a lot of people don't like and I've never been sure why: 95%+ of all messages where the domain in the 'To:' doesn't match the DNS domain of the IP address in the 'X-Originating-IP:' line are SPAM. So just reject them ALL. SPAM problem solved. Whiners will be executed on site.

Re:Are RBL's really finished (1)

secolactico (519805) | more than 6 years ago | (#17289264)

Uh? So the PTR of the originating IP has to match the domain of the destination?

But even if you meant the "From:", how do you deal with hosted mail domains? My domain might be one of thousands hosted at "smtpserver.bigprovider.com" or the like.

Re:Are RBL's really finished (2, Informative)

btpier (587890) | more than 6 years ago | (#17288902)

I use strict HELO requirements, greylisting, RBLs, and finally SpamAssassin on my home server. Very few spams make even make it to the SpamAssassin checks. Adding the HELO requirements and greylisting reduced the number spam emails SpamAssassin had to check from >100 emails per day down to an average of about 5 per week.

I haven't had any issues with greylisting. I know of no emails that I haven't eventually received and even web-page sign-ups/registrations have gotten through without a hitch.

There are also filters for postfix that can reject connections based on the age of the domain. If the domain is less than 4 days old, it's likely to be a spammer. I haven't implemented it yet but if the tide of spam swells again, that will be my next line of defense.

Re:Are RBL's really finished (1)

BandoMcHando (85123) | more than 6 years ago | (#17290074)

For example, one significant problem with greylisting is if your organisation happens to use a large 3rd party mail processing company for antivirus and antispam services... with many many email servers... so greylisting may decide to accept mail from you this time... or not... do you feel lucky today?

Efficiency (3, Informative)

cockroach2 (117475) | more than 6 years ago | (#17288250)

I'm not sure I agree about the lack of efficiency: On a "normal" day my server which hosts about 60 mailboxes blocks between 5000 and 6000 e-mail messages (4992 yesterday, 4936 Sunday, 5615 Saturday, 5763 Friday etc.) using ordb, spamhaus and dsbl. While it's true that I still have to use spamassassin for additional content filtering, that's more than 5000 messages a day which don't even enter the system - I consider that quite a lot.

Efficiency? (1)

AltGrendel (175092) | more than 6 years ago | (#17288624)

Not to be a troll, but what's the breakdown per service? Is ordb doing the heavy lifting? Or is spanhaus? If it's an even 33% aross the board, ok. But if ordb is only doing 1% of that 5000 then they're right, blocking relays is no longer effective.

Re:Efficiency? (2, Informative)

cockroach2 (117475) | more than 6 years ago | (#17289044)

You're right, about 95% (or more) of the blocking is done by spamhaus (it is the first filter which is used, thus it's clear that they catch more than the others). Still, the ORDB guys basically say that open relay RBLs in general don't make much sense anymore which, as I consider spamhaus to be an open relay RBL too, I can't agree to.

For completeness' sake, here's the breakdown for yesterday:
  - spamhaus: 4769 (96%)
  - dsbl.org: 220 (4%)
  - ordb.org: 3 (0%)

Open Relay Lists (1)

DaMattster (977781) | more than 6 years ago | (#17288376)

According to ordb.org's website, they maintained a list of open relay servers that you can use to block mail. I may be wrong but it seems that most email servers disable open relay by default. I know that Postfix takes great pains to prevent open relay in the default install, configurations not even withstanding. ORDB filled a niche for a while but may actually be redundant at this point. Spam will always be a game of cat and mouse.

Re:Open Relay Lists (1)

erlenic (95003) | more than 6 years ago | (#17288726)

As others have said, they are still very useful. At my company, of the 125,020 pieces of spam we blocked in November, 81,316 of them were blocked by blacklists. That's 65% of all detected spam. That's over 2,700 e-mails per day that our already overloaded relay server didn't have to spend much processing time on.

Re:Open Relay Lists (1)

mungtor (306258) | more than 6 years ago | (#17289782)

but that's just a blacklist.... Which blacklists and why was the server on the blacklist? Was it a known source of spam and not an open relay?

Spam control methodology (2, Informative)

wiredog (43288) | more than 6 years ago | (#17288398)

A "public" e-mail account, given to businesses, people who like to cross-post via CC (instead of BCC), places like /., etc. I use Gmail, which does a good bit of spam filtering.

A "private" e-mail account, given only to family and close friends, whit a set of filtering rules to build the whitelist, and everything else run through bayesian filtering.

Between the two, I have to deal with very little spam.

OT:This is my 2,000th Slashdot comment...

Re:Spam control methodology (2, Funny)

robogun (466062) | more than 6 years ago | (#17289286)

OT:This is my 2,000th Slashdot comment...

Damn. I only received 337 of them, my filter must have caught the rest!

Re:Spam control methodology (1)

0100010001010011 (652467) | more than 6 years ago | (#17291446)

I'm doing something similar, I just wish my friends weren't idiots. I have my own domain and my e-mail goes something like this:
DreamHost -> Gmail -> DreamHost

slashdot@mydomain.com, etc helped me harass one website about using my e-mail in un-authorized ways.

Except that all my friends have my 'real' address, so when they invite me with something like e-invite or send me a funny URL through a webform, they use my 'real' e-mail.

Although most of the spam I'm getting now is bounces that "I" originated.

RBLs not so trivial (4, Informative)

jblakezachary (1025970) | more than 6 years ago | (#17288408)

The ORDB notice makes it sound like we should all abandon RBL lookups all together. I operate a small GroupWise domain ~about 300 users~ and checked my GWAVA stats when I read the article. 78,000 of the last 155,000 inbound messages were blocked as RBL hits. This first step in ridding most of our spam takes a load off of the more server intensive methods of filtering mail and still seems very relevant. I will be sad to see ORDB go.

For those of you relying on RBL lookups, the following are still available and seem to be very reliable, producing few to zero false positives:
zen.spamhaus.org
bl.spamcop.net
list.dsbl.org

Re:RBLs not so trivial (1)

Spoke (6112) | more than 6 years ago | (#17289914)

zen.spamhaus.org
bl.spamcop.net
list.dsbl.org
I use those same domains for my mail servers and also find them to be very effective.

Besides spamcop.net [slashdot.org] , are there any other useful service to forward spam to to help add to these blacklists?

Spam Can-Doers (1, Flamebait)

Doc Ruby (173196) | more than 6 years ago | (#17288700)

Since the Republican Congress "defeated spam" with their CAN-SPAM Act, I've noticed my incoming spam double every month for years. While I notice that the antispam organizations keep folding, or even getting shut down.

Re:Spam Can-Doers (2, Funny)

s7uar7 (746699) | more than 6 years ago | (#17290590)

Since the Republican Congress "defeated spam" with their CAN-SPAM Act, I've noticed my incoming spam double every month for years

CAN-SPAM took effect on 1 January 2004, so assuming you got 1 spam that month and it's doubled every month since, that means you're getting about 564 million spam emails a day now. I wouldn't want to be your ISP :)

Re:Spam Can-Doers (1)

Doc Ruby (173196) | more than 6 years ago | (#17290928)

Actually it seems to be doubling every three months, though that accelerated this past Summer. And "for years" since mid-2005. That's about 2^6, which is about the couple-few hundred spams I get each day.

I wouldn't want to be my ISP, anyway - or I would be :).

Re:Spam Can-Doers (3, Insightful)

rworne (538610) | more than 6 years ago | (#17291546)

Really?

The U.S. Senate voted 97-0 (with 3 nonvoting senators).
Congress voted in much a similar fashion: 392-5.

link [vote-smart.org]

Jump off that hate bandwagon and realize you being screwed over by both parties.

Re:Spam Can-Doers (1)

Doc Ruby (173196) | more than 6 years ago | (#17291782)

Do you know how Congress works? Especially the now departing (but not lamented) Republican "Contract" Congress? They abused their majority to rewrite, abuse and selectively enforce rules that excluded minority Democrats from any representation, even in the nearly 50:50% proportions they controlled. To an unprecedented degree.

Democrats are no saints. They certainly do their share of the screwing. But theirs has been sustainable. Under Republican rule, Democrats had to trade votes to Republicans, including just for shows of "bipartisanship" engineered by Republicans, just to get crumbs. Which of course they shared mostly with their own corrupt cronies who bribe^Wdonate to their campaigns.

But this has been a Republican Congress, with a Republican president, in lockstep, stomping all over minority rights. Republcians take the blame.

Snap out of the Republican smokescreen that "they're both guilty" and realize the worst crooks have been raping us, even using the manageable crooks to hide their dirty hands.

Spam (1)

certel (849946) | more than 6 years ago | (#17289162)

To fight spam we should hold the following responsible: 1) ISP's for not properly configurating their network to block certain traffic to certain home computers ports. Even more so when suspect traffic is noticed. Example, my ISP does not allow outbound port 25 connections. 2) Software companies who develop broken code allowing such activities (IE, Microsoft). Nuff said.

Re:Spam (1)

DShard (159067) | more than 6 years ago | (#17290294)

And since phishing sites are bad for people we should also have ISPs block outbound port 80 and 443. That will stop those pesky get rich schemes.

Re:Spam (1)

johnw (3725) | more than 6 years ago | (#17291284)

SP's for not properly configurating
ITYM "configuratisationing"

Since I get a fair amount of spam... (0)

Anonymous Coward | more than 6 years ago | (#17289194)

I'd like to take advantage of the RBL lookups against my own database. Is there any open source software that can accept a DNS lookup message, enable me to lookup the IP in MySQL (for instance), and respond back with a 127.0.0.1 or not?

This would enable me to build my own blacklist from spams coming in to my server for accounts which have NEVER existed, or have only existed on remove lists.

Re:Since I get a fair amount of spam... (1)

Hymer (856453) | more than 6 years ago | (#17290302)

Technically it is just a DNS server... there is nothing spookey about it, you just make a entry in your dns server for the spam source and point it to 127.0.0.2 (and not 127.0.0.1)...

Re:Since I get a fair amount of spam... (0)

Anonymous Coward | more than 6 years ago | (#17292026)

Yeah, but I don't want to rewrite and reload a zone file multiple times a day containing the hundreds to thousands of IP addresses I get spam from daily. That's why I'd like the lookups to take place against a database.

How nice of them to let us know.... (2, Interesting)

NerveGas (168686) | more than 6 years ago | (#17289224)


    By giving people one entire day to remove their mailer configuration, they didn't leave people much time. Of course, that's sort of moot, I noticed early last week that my mailer wasn't getting responses from them any more, causing timeout delays on the query for every incoming message.

    Ah, well. I guess I shouldn't complain, since this one inconsiderate act is vastly overshadowed by the usefulness they've provided over the years.

Re:How nice of them to let us know.... (1)

scoof (2459) | more than 6 years ago | (#17291876)

The timeouts are not because the project shut down, but simply because the nameservers can't handle the traffic that's thrown at them. One of the largest burdens of running ORDB was getting proper name service. The zone is still served by many nameservers, but is empty.

I thought all the spam comes from Windows Zombies (0)

Anonymous Coward | more than 6 years ago | (#17289872)

I remember setting up a filter that would run an open relay check before accepting the mail.
That's when I realized that 99.9% of spam came from Windows zombie boxes, not from mail relays at all.

SORBS (2, Informative)

Hymer (856453) | more than 6 years ago | (#17290910)

1. SORBS sucks... and they work because they suck. They assume any mail source is a spam source unless it got a rDNS record (wich may be quite hard to get on ADSL lines).
2. SpamHaus do a decent job and they don't make funny/crazy assumptions, and they do try to keep the list up to date.
3. Even content check does not block spam... spammers are sending pictures with their message... and they make those hard to run thru OCR (just like the Human-Check here on /.).
4. A world wide law against spam would help but is not likely to happen.
...whoever find a working non-STASI-like (ie. SORBS) and open solution will get my vote for the Nobel Prize...
...and yes I do know about several methods for fighting spam but they are far from perfect... they are usually based on certificates and they do work pretty well... we do however need a solution in the SMTP and not an propriatary addon on top of it...
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>