On Mon, Nov 20, 2000 at 01:35:20AM +0100, Piotr Kasztelowicz wrote:
> I will say about my experience with ORBS (as network administrator)
> because the peoples associated with qmail have given good recommendation
> to
> use and base on ORBS as good anti-spam method.
>
> I let to be another opinion!
>
> After crush of one of Polish Cardiac Society's Server placed in Lodz (I
> administrate others servers) I have been asked to help with
> administrating
> and making secure of this host. Till September it was really insecure
> and indicated
> (as I think and see) by ORBS as insecure.
Okay, so ORBS thought the previous incarnation of the mail host was an
open relay.
> Exactly - not excluded - that
> already
> this time helped it hackers "to find it as easy to break".
You mean by relaying through the server? I believe ORBS only divulges
open relay IPs when the hosts in question persist in being open
relays. Presuming your server didn't reach that point, the only way
spammers could have found it was by looking up your IP at random
through the ORBS DNS or by scanning the net.
> Since October, after crush I have installed - nota bene recommended by
> ORBS
> and this mailing list software - so, qmail as mail system and tcpserver
> provided to secure qmail as well as telnetd, ftpfd and others insecure
> Internet's daemons.
Gotcha.
> November 5, I have observed the proof of port scanning thus relay-test
> by
> ORBS. There are accepted by secured against open relay smtp, because
> ORBS
> applied to allocate addresses with domain of tested host (also
> @lodz.ptkardio.pl).
Ok.
> The test was continued till November 9, This time I was taken away from
> my Hospital - I was participating at Polish Medical Internet Conference,
> where
> I have said about qmail and tcpserver as good security system to
> Internet servers too.
>
> "Nov 5 10:49:13 sun smtp: tcpserver: ok 16751 :212.51.193.152:25
> relaytest.orbs.
> vuurwerk.nl:194.178.232.55::4445"
>
>
> This time was the proof to attack this server, prior "tested by orbs"
That log snippet only shows that ORBS connected to your SMTP
service. That is hardly an attack.
> The hackers have not broken the tcpserver, but system are not responding
> and this time we can't give our reaction. Now when the friends from Lodz
> had rebooted the server, it has been worked correctly. I was beginning
> to analyze of logs
>
> The logs have indicated the Romania as hackers place:
>
> "Nov 9 12:13:05 sun telnet: tcpserver: deny 18305 :212.51.193.152:23
> falconsrl.r
> dsnet.ro:193.231.236.12::3802"
>
> All has been after this attack in short time restored. But in some time
> ORBS was beginning
> again the test. And in this same time I have observed again more proofs
> of hacking -
> good luck - without damaging.
That's ridiculous. How could a failed connection attempt from a host
in Romania be considered a crack attempt? What does it have to do with
ORBS?
> I have send to ORBS the requests to cancel me from their data base and
> stop with
> testing, because I'm of opinion, that this data base use first of all
> hackers.
You can certainly ask them to stop testing, but the ORBS database
doesn't keep top secret information, it is just a list of IPs. There
are many interesting hosts out there, most of which aren't listed in
ORBS.
> If during test has been by me observed increased activity of attack I
> can suppose,
> that hackers this time have information which host is tested and which
> one host is
> established as insecure. Where!
ORBS only lists hosts that are open mail relays. ORBS doesn't check
for any other vulnerabilities.
> I have blocked smtp machines to bounce all mail's from ORBS: Effect is
> good, but
> ORBS apply be still active:
>
> "Nov 20 00:22:39 sun smtp: tcpserver: deny 7226 :212.51.193.152:25
> mail2.manawatu
> .net.nz:202.36.148.21:postmaster:1932"
>
> WHY!
Is that even an ORBS tester, or are you now blocking legitimate mail?
> PLEASE DON'T RECOMMEND ATE ORBS. There are criminal activity. My host
> can by
> during its appreciation damaged!
129.63.206.57. That's an IP, I just listed an IP. Am I a criminal?
The story I got so far is ORBS tested your machine and found it to be
an open relay. You fixed it and ORBS tested you again. Meanwhile there
were isolated connection attempts from Romania and a system crash you
haven't firmly correlated to anything else.
Given those facts, solar flares seems a more plausible culprit than ORBS.
PGP signature
