Re: orbs

[Henning Brauer]

On Thu, Jul 19, 2001 at 10:22:24AM -0400, Kurth Bemis wrote:
 does any one know why orbs is offline?

ORBS is closed due to legal problems. There were a thread a few weeks ago
here.

-- 
* Henning Brauer, [EMAIL PROTECTED], http://www.bsws.de *
* Roedingsmarkt 14, 20459 Hamburg, Germany   *
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)

Re: orbs

[Vincent Schonau]

On Thu, Jul 19, 2001 at 10:22:02AM -0400, Kurth Bemis wrote:

 does any one know why orbs is offline?

It appears to be because of a) legal troubles and b) the fact that
Alan Brown has sold his ISP business. It is highly unlikely at this
point that it will ever come back. It has been down, by the way, since
early June.

If you are still running rblsmtpd querying any of the ORBS lists, be
warned:

   - The lists are no longer being maintained. The information in
 those list is *fast* becoming outdated; as time passes, you
 will be rejecting mail from more and more hosts that are not
 open relays.
 
   - The volunteers who provided DNS service to orbs.org are now
 seeing a significant increase in bandwidth usage because of the
 way the orbs lists were shut down. One of them has already turned
 to answering *every* ORBS request with an A and TXT record; this
 will lead to loss of _at least_ 1/10th of the mail at hosts
 still using ORBS.
 
It is possible that others will start doing the same; in which case
you will lose even more mail.

Stop querying the ORBS lists; you're just wasting your own and others'
resources.

And if you switch to one of the other DNSBL's, please make sure you
keep up with the various anti-spam forums. Most of these services are
provided for free; making sure you don't waste the resources is the
least you can do.


Vince.

RE: orbs

[Michael Geier, CDM Systems Admin]

There are three new ORBS forks.

http://www.orbl.org/
http://www.orbz.gst-group.co.uk/orbs/
http://www.ordb.org/


-Original Message-
From: Vincent Schonau [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 19, 2001 11:13 AM
To: [EMAIL PROTECTED]
Subject: Re: orbs


On Thu, Jul 19, 2001 at 10:22:02AM -0400, Kurth Bemis wrote:

 does any one know why orbs is offline?

It appears to be because of a) legal troubles and b) the fact that
Alan Brown has sold his ISP business. It is highly unlikely at this
point that it will ever come back. It has been down, by the way, since
early June.

If you are still running rblsmtpd querying any of the ORBS lists, be
warned:

   - The lists are no longer being maintained. The information in
 those list is *fast* becoming outdated; as time passes, you
 will be rejecting mail from more and more hosts that are not
 open relays.
 
   - The volunteers who provided DNS service to orbs.org are now
 seeing a significant increase in bandwidth usage because of the
 way the orbs lists were shut down. One of them has already turned
 to answering *every* ORBS request with an A and TXT record; this
 will lead to loss of _at least_ 1/10th of the mail at hosts
 still using ORBS.
 
It is possible that others will start doing the same; in which case
you will lose even more mail.

Stop querying the ORBS lists; you're just wasting your own and others'
resources.

And if you switch to one of the other DNSBL's, please make sure you
keep up with the various anti-spam forums. Most of these services are
provided for free; making sure you don't waste the resources is the
least you can do.


Vince.

Re: orbs

[Jon Rust]

On Thu, Jul 19, 2001 at 06:12:37PM +0200, Vincent Schonau wrote:
 
 And if you switch to one of the other DNSBL's, please make sure you
 keep up with the various anti-spam forums. Most of these services are
 provided for free; making sure you don't waste the resources is the
 least you can do.

Yes, very good point. For example, beginning Aug 1 of this year, mail-abuse.org
(that's the original RBL, MAPS and DUL) will begin charging for access
to their DNS servers. If you don't have an account set-up with them
before then, you will lose access to them.

orbl.org seems to a popular replacement for orbs.org and MAPS.

jon

Re: orbs

[Christopher Tarricone]

As I understand it they were shutdown because the ISP was hosting them had
made a mandate that ORBS alert systems administrators BEFORE testing thier
servers for open relay
- Original Message -
From: Kurth Bemis [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thursday, July 19, 2001 10:22 AM
Subject: orbs


 does any one know why orbs is offline?

 ~kurth

Re: ORBS, and RFC-ignorant blacklists

[Peter van Dijk]

On Tue, Jun 05, 2001 at 08:00:00AM +0200, Piotr Kasztelowicz wrote:
 On Mon, 4 Jun 2001, Alex Pennace wrote:
 
  Can you please get over this? The evidence you posted last year was
  flawed, it did not link ORBS to a few probes from Romania. You have no
  proof that ORBS is somehow worse than any other list of IPs.
 
 1) My host was by me secured (qmail+tcpserver with no open relay)
 but A. Brown hasn't removed me form his list

So tell us your IP and show it is being listed by ORBS, so we can see
for ourselves if this is true.

 2) The hacking proof was repeated each time, when tester was active
 with performing with test

Ofcourse.

 3) Each hacker can read and such list are for his the great
 direction, where seek. Problem was, that in this time this
 server was already secured and all was written to logs

No, not each hacker can read the list. Only hosts that have been
relays for over 30 days get in a publicly-available list, because
relays that stay open that long probably will never get fixed.

 4) With A. Brown was no discussion. I have asked him to break
 test but he has me adviced to turn off my server

ORBS can be configured to 'ignore' your netblock, and I've never seen
Alan be unwilling to do so for anybody.

 5) I have blocked my server with command to tcpserver
 =.nl:deny and since this time all hacking proof
 has been finished and no longer has been reported.
 Since this time all problems with them has been finished

The ORBS tester does not have a reverse that ends in .nl.

 I'm very happy thaht NZ Court has been this same opinion
 as I.

You are also confused about the courtcase, apparently.

Greetz, Peter.

Re: ORBS, and RFC-ignorant blacklists

[Alex Pennace]

On Tue, Jun 05, 2001 at 07:59:38AM +0200, Piotr Kasztelowicz wrote:
 On Mon, 4 Jun 2001, Alex Pennace wrote:
 
  Can you please get over this? The evidence you posted last year was
  flawed, it did not link ORBS to a few probes from Romania. You have no
  proof that ORBS is somehow worse than any other list of IPs.
 
 1) My host was by me secured (qmail+tcpserver with no open relay)
 but A. Brown hasn't removed me form his list

That's a valid complaint.

 2) The hacking proof was repeated each time, when tester was active
 with performing with test

The ORBS tester is not engaging in any form of computer trespass. If
you don't want people connecting to your SMTP service, take steps to
remove it from the public Internet.

 3) Each hacker can read and such list are for his the great
 direction, where seek. Problem was, that in this time this
 server was already secured and all was written to logs

Publishing a list of IPs is not a crime.

 4) With A. Brown was no discussion. I have asked him to break
 test but he has me adviced to turn off my server

Interesting.

 5) I have blocked my server with command to tcpserver
 =.nl:deny and since this time all hacking proof
 has been finished and no longer has been reported.
 Since this time all problems with them has been finished
 
 I'm very happy thaht NZ Court has been this same opinion
 as I.

The NZ court action has nothing to do with computer trespass if I'm
not mistaken.

Re: ORBS, and RFC-ignorant blacklists

[Piotr Kasztelowicz]

On Tue, 5 Jun 2001, Peter van Dijk wrote:

 So tell us your IP and show it is being listed by ORBS, so we can see
 for ourselves if this is true.

Now it is not possible, because the ORBS is closed
The host is sun.lodz.ptkardio.pl [212.51.193.152]

 relays that stay open that long probably will never get fixed.

Since September 2000 relay open has been fixed by me on
Dane Bernstein software - qmail, tcpserver. A. Brown will
not remove me from list. This is clear, that ORBS uses
others, that objectives criteria.

 ORBS can be configured to 'ignore' your netblock, and I've never seen
 Alan be unwilling to do so for anybody.

NZ Court, as we have heard don't let him do to.
I'm the Vicepresident of Polish Medical Internet Society
and this same work at security and quality of Polish medical
servers. I work as consultant. My statement
is clear. Each use SMTP on server, which don't lead to
sent or receive mail without a permission of administrator
should be taken as inappropriate activity and illegal by any
law. I have made many such expertises and in each case
do to the law effects. Therefore I don't wonder that
NZ High Court take the injunction to remove ORBS list

 The ORBS tester does not have a reverse that ends in .nl.

Dec  4 23:39:09 sun smtp: tcpserver: deny 29386 :212.51.193.152:25
relaytest.orbs.vuurwerk.nl:194.178.232.55::2991

As you can see netblock is effective.

Best Wishes

Piotr
---
Piotr Kasztelowicz [EMAIL PROTECTED]
[http://www.am.torun.pl/~pekasz]

[OT] [useless thread] Re: ORBS, and RFC-ignorant blacklists

[Peter van Dijk]

On Tue, Jun 05, 2001 at 01:29:59PM +0200, Piotr Kasztelowicz wrote:
 On Tue, 5 Jun 2001, Peter van Dijk wrote:
 Now it is not possible, because the ORBS is closed
 The host is sun.lodz.ptkardio.pl [212.51.193.152]
 
  relays that stay open that long probably will never get fixed.
 
 Since September 2000 relay open has been fixed by me on
 Dane Bernstein software - qmail, tcpserver. A. Brown will
 not remove me from list. This is clear, that ORBS uses
 others, that objectives criteria.

You have shown us no proof. That you are unable to for external
reasons is too bad, but I suggest that you do not claim the above
until you can show us proof.

 NZ Court, as we have heard don't let him do to.
 I'm the Vicepresident of Polish Medical Internet Society
 and this same work at security and quality of Polish medical
 servers. I work as consultant. My statement

So people *pay* you to do silly things like block all of .nl?

[snip]
  The ORBS tester does not have a reverse that ends in .nl.
 
 Dec  4 23:39:09 sun smtp: tcpserver: deny 29386 :212.51.193.152:25
 relaytest.orbs.vuurwerk.nl:194.178.232.55::2991
 
 As you can see netblock is effective.

It indeed effectively blocks .nl hosts. The orbs-tester, however, is
not an .nl host. It was back in december, as you clearly demonstrate,
but it isn't now.

Greetz, Peter.

Re: [OT] [useless thread] Re: ORBS, and RFC-ignorant blacklists

[Piotr Kasztelowicz]

On Tue, 5 Jun 2001, Peter van Dijk wrote:

 You have shown us no proof. That you are unable to for external
 reasons is too bad, but I suggest that you do not claim the above
 until you can show us proof.

I don't believe you. Why I should believe you, when A. Brown
has presented arrogant behavior to me?

 So people *pay* you to do silly things like block all of .nl?

Post from .nl can be received thus secondaries MX - this works,
test no.

 It indeed effectively blocks .nl hosts. The orbs-tester, however, is
 not an .nl host. It was back in december, as you clearly demonstrate,
 but it isn't now.

If I have it find - I make block and send protest to Netherlands Embassy
in Warsaw. I will say you again, the all activities, which you will
perform on my server on port 25, which are not provided to send a post
to any user on them is inappropriate using of this port and will be
not permitted be me as server administrator. This depends all
like ORBS systems, whose owners are participants of this list

Piotr
---
Piotr Kasztelowicz [EMAIL PROTECTED]
[http://www.am.torun.pl/~pekasz]

Re: [OT] [useless thread] Re: ORBS, and RFC-ignorant blacklists

[Adam McKenna]

Can you guys please stop feeding this troll?

--Adam

Re: [OT] [useless thread] Re: ORBS, and RFC-ignorant blacklists

[Greg White]

On Tue, Jun 05, 2001 at 05:10:32PM +0200, Piotr Kasztelowicz wrote:
 On Tue, 5 Jun 2001, Peter van Dijk wrote:
 
  You have shown us no proof. That you are unable to for external
  reasons is too bad, but I suggest that you do not claim the above
  until you can show us proof.
 
 I don't believe you. Why I should believe you, when A. Brown
 has presented arrogant behavior to me?

Please, please, everyone, let's not let this guy waste another week of
the list members' time and energy! Doesn't anyone remember what happened
when people tried rational arguments on this guy last time? AFAICT, he's
simply a troll -- ignore him...


-- 
Greg White
Those who make peaceful revolution impossible will make violent
revolution inevitable.
-- John F. Kennedy

Re: ORBS, and RFC-ignorant blacklists

[Alex Pennace]

On Tue, Jun 05, 2001 at 01:29:37PM +0200, Piotr Kasztelowicz wrote:
 Each use SMTP on server, which don't lead to
 sent or receive mail without a permission of administrator
 should be taken as inappropriate activity and illegal by any
 law.

With that attitude you criminalize:

1. Incomplete SMTP transactions,
2. Poor slobs who load a web page with img src=http://yourhost:25;
3. People who are tracking down mail problems and connect to your SMTP
service to check a few things.

Your SMTP service isn't harmed by any of those.

Re: ORBS, and RFC-ignorant blacklists

[Ask Bjoern Hansen]

On Fri, 1 Jun 2001, Johan Almqvist wrote:

 * Alex Pennace [EMAIL PROTECTED] [010601 04:25]:
  http://www.orbs.org/ says Due to circumstances beyond our control,
  the ORBS website is no longer available.

 http://www.dorkslayers.com/ seems to be the successor in some ways. But
 the first statement

 It is our intention to never list IP addresses which have any of the
 following characteristics:
 - a physical location within the United States of America (USA)
 [...]

 makes me wonder a bit...

they just don't want to bother with lawsuits.


 - ask

-- 
ask bjoern hansen, http://ask.netcetera.dk/   !try; do();
more than 100M impressions per day, http://valueclick.com

Re: ORBS, and RFC-ignorant blacklists

[Ask Bjoern Hansen]

On Tue, 5 Jun 2001, Piotr Kasztelowicz wrote:

[...]
 I'm very happy thaht NZ Court has been this same opinion
 as I.

Well, they don't.

The court didn't tell him to shut down ORBS, only to remove a few
defamatory listings.


 - ask

-- 
ask bjoern hansen, http://ask.netcetera.dk/   !try; do();

Re: ORBS, and RFC-ignorant blacklists

[Piotr Kasztelowicz]

On Sun, 3 Jun 2001, Peter van Dijk wrote:

 Furthermore, Alan Brown's activities are not illegal - the ORBS
 relaytester runs in The Netherlands, where this is not illegal by any
 law.

Maybe in Netherlands is not illegal, but in Netherlands even euthanasia
is legal by any law, in other countries not! The tester is in Netherlands
but it otucomes follow results in other countries, where performing
such lists and testing, which seeks the vulnerabilities in servers
and helps hackers at attacks, is illegal. From corespondence on this
list can be considered, that in US, NZ is illegal, in my country (Poland)
too. So, if Netherland will be right to others, probably shall give
this same injunction as NZ High Court - this want only a lot time

Best Wishes

Piotr
---
Piotr Kasztelowicz [EMAIL PROTECTED]
[http://www.am.torun.pl/~pekasz]

Re: ORBS, and RFC-ignorant blacklists

[Alex Pennace]

On Mon, Jun 04, 2001 at 09:17:28AM +0200, Piotr Kasztelowicz wrote:
 On Sun, 3 Jun 2001, Peter van Dijk wrote:
  Furthermore, Alan Brown's activities are not illegal - the ORBS
  relaytester runs in The Netherlands, where this is not illegal by any
  law.
 
 Maybe in Netherlands is not illegal, but in Netherlands even euthanasia
 is legal by any law, in other countries not! The tester is in Netherlands
 but it otucomes follow results in other countries, where performing
 such lists and testing, which seeks the vulnerabilities in servers
 and helps hackers at attacks, is illegal. From corespondence on this
 list can be considered, that in US, NZ is illegal, in my country (Poland)
 too. So, if Netherland will be right to others, probably shall give
 this same injunction as NZ High Court - this want only a lot time

Can you please get over this? The evidence you posted last year was
flawed, it did not link ORBS to a few probes from Romania. You have no
proof that ORBS is somehow worse than any other list of IPs.

Re: ORBS, and RFC-ignorant blacklists

[Mark]

On Mon, Jun 04, 2001 at 09:17:50AM +0200, Piotr Kasztelowicz allegedly wrote:
 On Sun, 3 Jun 2001, Peter van Dijk wrote:
 
  Furthermore, Alan Brown's activities are not illegal - the ORBS
  relaytester runs in The Netherlands, where this is not illegal by any
  law.
 
 Maybe in Netherlands is not illegal, but in Netherlands even euthanasia
 is legal by any law, in other countries not! The tester is in Netherlands
 but it otucomes follow results in other countries, where performing
 such lists and testing, which seeks the vulnerabilities in servers
 and helps hackers at attacks, is illegal. From corespondence on this
 list can be considered, that in US, NZ is illegal, in my country (Poland)
 too. So, if Netherland will be right to others, probably shall give
 this same injunction as NZ High Court - this want only a lot time

I'm confused. Isn't the use of ORBS entirely voluntary? I don't see
how any site on the Internet is obliged to accept any traffic at
all. So, if a site chooses to reject traffic based on a list -
regardless of how flawed it may be - what's the big deal?

But I fail see the relevance to qmail...


Regards.

Re: ORBS, and RFC-ignorant blacklists

[David Means]

Besides, ORBS is dead!

http://www.orbs.org/

Or, is that the wrong site?

David


Mark wrote:
 
 On Mon, Jun 04, 2001 at 09:17:50AM +0200, Piotr Kasztelowicz allegedly wrote:
  On Sun, 3 Jun 2001, Peter van Dijk wrote:
 
   Furthermore, Alan Brown's activities are not illegal - the ORBS
   relaytester runs in The Netherlands, where this is not illegal by any
   law.
 
  Maybe in Netherlands is not illegal, but in Netherlands even euthanasia
  is legal by any law, in other countries not! The tester is in Netherlands
  but it otucomes follow results in other countries, where performing
  such lists and testing, which seeks the vulnerabilities in servers
  and helps hackers at attacks, is illegal. From corespondence on this
  list can be considered, that in US, NZ is illegal, in my country (Poland)
  too. So, if Netherland will be right to others, probably shall give
  this same injunction as NZ High Court - this want only a lot time
 
 I'm confused. Isn't the use of ORBS entirely voluntary? I don't see
 how any site on the Internet is obliged to accept any traffic at
 all. So, if a site chooses to reject traffic based on a list -
 regardless of how flawed it may be - what's the big deal?
 
 But I fail see the relevance to qmail...
 
 Regards.

Re: ORBS, and RFC-ignorant blacklists

[Piotr Kasztelowicz]

On Mon, 4 Jun 2001, Alex Pennace wrote:

 Can you please get over this? The evidence you posted last year was
 flawed, it did not link ORBS to a few probes from Romania. You have no
 proof that ORBS is somehow worse than any other list of IPs.

1) My host was by me secured (qmail+tcpserver with no open relay)
but A. Brown hasn't removed me form his list

2) The hacking proof was repeated each time, when tester was active
with performing with test

3) Each hacker can read and such list are for his the great
direction, where seek. Problem was, that in this time this
server was already secured and all was written to logs

4) With A. Brown was no discussion. I have asked him to break
test but he has me adviced to turn off my server

5) I have blocked my server with command to tcpserver
=.nl:deny and since this time all hacking proof
has been finished and no longer has been reported.
Since this time all problems with them has been finished

I'm very happy thaht NZ Court has been this same opinion
as I.

Piotr
---
Piotr Kasztelowicz [EMAIL PROTECTED]
[http://www.am.torun.pl/~pekasz]

Re: ORBS, and RFC-ignorant blacklists

[Peter van Dijk]

On Mon, Jun 04, 2001 at 05:06:52PM -0400, David Means wrote:
 Besides, ORBS is dead!
 
 http://www.orbs.org/
 
 Or, is that the wrong site?

That is the right site, and ORBS is indeed currently dead.

Greetz, Peter.

Re: ORBS, and RFC-ignorant blacklists

[Piotr Kasztelowicz]

Hello

Alan Brown, operator of ORBS, was served 2 New Zealand High Court
injunctions ordering the removal of several OBRS listings. The compalies
who filed for these injunctions are Actrix and NZ Telecom.

I have written to this list one year ago, Allan Brown activity
is illegal, moreover hi helps hackers more than normal peoples.
Also good decision of NZ Court.

Piotr
---
Piotr Kasztelowicz  [EMAIL PROTECTED]
[http://www.am.torun.pl/~pekasz]

Re: ORBS, and RFC-ignorant blacklists

[Peter van Dijk]

On Sun, Jun 03, 2001 at 11:25:10AM +, Piotr Kasztelowicz wrote:
 Hello
 
 Alan Brown, operator of ORBS, was served 2 New Zealand High Court
 injunctions ordering the removal of several OBRS listings. The compalies
 who filed for these injunctions are Actrix and NZ Telecom.
 
 I have written to this list one year ago, Allan Brown activity
 is illegal, moreover hi helps hackers more than normal peoples.
 Also good decision of NZ Court.

I hate starting a flamethread (and hope you all are smart enough not
to), but ORBS does not help hackers.

Furthermore, Alan Brown's activities are not illegal - the ORBS
relaytester runs in The Netherlands, where this is not illegal by any
law.

Greetz, Peter.

Re: ORBS, and RFC-ignorant blacklists

[Johan Almqvist]

* Alex Pennace [EMAIL PROTECTED] [010601 04:25]:
 http://www.orbs.org/ says Due to circumstances beyond our control,
 the ORBS website is no longer available.

http://www.dorkslayers.com/ seems to be the successor in some ways. But
the first statement

It is our intention to never list IP addresses which have any of the
following characteristics:
- a physical location within the United States of America (USA)
[...]

makes me wonder a bit...

-Johan
-- 
Johan Almqvist
http://www.almqvist.net/johan/qmail/

 PGP signature

Re: ORBS, and RFC-ignorant blacklists

[David Talkington]

-BEGIN PGP SIGNED MESSAGE-

Alex Pennace wrote:

http://www.orbs.org/ says Due to circumstances beyond our control,
the ORBS website is no longer available.

That seems pretty abrupt.  Anyone know why they vanished?

-BEGIN PGP SIGNATURE-
Version: PGP 6.5.8
Comment: Made with pgp4pine 1.75-6

iQEVAwUBOxdEQ71ZYOtSwT+tAQH2cAgAg1ScHjgE6LLgiSirhqf+P8MvWBUR++Gk
YcHOXAuB9t0wyA1dmfFmL/9Id1Lz54euavDrZsZ22+ikqhd3ov+uPPzTsP5vdE8l
tFwNTHugvIEKzwH0fxsyu/3sujeO/B3oCnfX13e0NaGTq1x8V8SFYw9Qt7GjOVz+
x+AL0cvYEB1+FAPY8TiEMbHG13BV0fcOKn3YTeSlCdDA4bmcsRhx5ChIrHO3nmQB
M9ZCoMYFEfN46fVSE3ygSj0/CdgC52oxh8aeHb969G3OEOOeHeG2GFK71pxg1+Zs
EkaU91OYAj17FpmHZR358LUQ2p5ianaNK4kYYgghPsaUtiLxIOxa9A==
=AdHz
-END PGP SIGNATURE-

Re: ORBS, and RFC-ignorant blacklists

[Johan Almqvist]

* David Talkington [EMAIL PROTECTED] [010601 09:29]:
 Alex Pennace wrote:
 http://www.orbs.org/ says Due to circumstances beyond our control,
 the ORBS website is no longer available.
 That seems pretty abrupt.  Anyone know why they vanished?

legalese
Alan Brown, operator of ORBS, was served 2 New Zealand High Court
injunctions ordering the removal of several OBRS listings. The compalies
who filed for these injunctions are Actrix and NZ Telecom.
/legalese

http://groups.google.com/groups?q=news.admin.net-abuse.email


-Johan
-- 
Johan Almqvist
http://www.almqvist.net/johan/qmail/

 PGP signature

Re: ORBS

[Piotr Kasztelowicz]

On Thu, 25 Jan 2001, Marcilio Jorgensen Cassella wrote:

   How to fix it, please ?

does support your server open relay throu smtp?

Piotr
---
Piotr Kasztelowicz [EMAIL PROTECTED]
[http://www.am.torun.pl/~pekasz]

Re: ORBS

[Chris Johnson]

On Thu, Jan 25, 2001 at 03:18:53PM -0200, Marcilio Jorgensen Cassella wrote:
   My SMTP server is in the ORBS list because:
 
 
  X-Token: qlyzkfjxdlcfhlrh
  X-Envelope-Sender: MAIL FROM:[EMAIL PROTECTED]
  X-Envelope-Recipient: RCPT
 TO:orbs-relaytest%manawatu.co.nz@[200.18.178.4]

You might be listed in ORBS, but I doubt this is why. If you're running qmail
and haven't enabled percenthack, then this won't get you into ORBS.

Chris

Re: ORBS

[Markus Stumpf]

On Thu, Jan 25, 2001 at 03:18:53PM -0200, Marcilio Jorgensen Cassella wrote:
 TO:orbs-relaytest%manawatu.co.nz@[200.18.178.4]
   How to fix it, please ?

You probably have a
control/percenthack
file. Remove it.

\Maex

Re: ORBS

[Peter van Dijk]

On Thu, Jan 25, 2001 at 03:18:53PM -0200, Marcilio Jorgensen Cassella wrote:
 Hi,
 
   My SMTP server is in the ORBS list because:
 
 
  X-Token: qlyzkfjxdlcfhlrh
  X-Envelope-Sender: MAIL FROM:[EMAIL PROTECTED]
  X-Envelope-Recipient: RCPT
 TO:orbs-relaytest%manawatu.co.nz@[200.18.178.4]

Headers for a relayed message look like:

-- CUT HERE
Return-Path: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
Received: (qmail 81844 invoked from network); 25 Jan 2001 18:01:41
-
Received: from unknown (HELO cronopio.ibase.org.br) (200.18.178.15)
  by massive.dataloss.net with SMTP; 25 Jan 2001 18:01:41 -
Received: from alternex.com.br (ax.alternex.com.br [200.18.178.1])
by cronopio.ibase.org.br (8.8.7/8.8.7) with ESMTP id PAA24946
for [EMAIL PROTECTED]; Thu, 25 Jan 2001 15:59:23 -0200
(EDT)
From: [EMAIL PROTECTED]
Received: from shadow.alternex.com.br (shadow.alternex.com.br
[200.18.178.4])
by alternex.com.br (8.8.7/8.8.7) with SMTP id PAA27300
for [EMAIL PROTECTED]; Thu, 25 Jan 2001 15:59:15 -0200 (EDT)
Date: Thu, 25 Jan 2001 15:59:15 -0200 (EDT)
Message-Id: [EMAIL PROTECTED]
Received: (qmail 19929 invoked by alias); 25 Jan 2001 17:58:01 -
Delivered-To: [EMAIL PROTECTED]
Received: (qmail 19915 invoked from network); 25 Jan 2001 17:57:52
-
Received: from router-office.vuurwerk.net (HELO moi) (62.250.3.59)
  by shadow.alternex.com.br with SMTP; 25 Jan 2001 17:57:52 -
To: "undisclosed-recipients:;"@alternex.com.br

test

-- CUT HERE

Message comes into your qmailbox (shadow), is delivered to
ax.alternex.com.br (a sendmail box) through something you do with the alias
user. This box then sends it to cronopio.ibase.org.br, which delivers
the message to it's final recipient.

Both of these sendmail boxes are misconfigured - they treat the
address 'peter%dataloss.net@[someIP]' as '[EMAIL PROTECTED]'. Ask
your sendmail admin to disable that ugly percenthack.

Greetz, Peter.

Re: ORBS

[Peter van Dijk]

On Thu, Jan 25, 2001 at 12:52:35PM -0500, Chris Johnson wrote:
 On Thu, Jan 25, 2001 at 03:18:53PM -0200, Marcilio Jorgensen Cassella wrote:
  My SMTP server is in the ORBS list because:
  
  
   X-Token: qlyzkfjxdlcfhlrh
   X-Envelope-Sender: MAIL FROM:[EMAIL PROTECTED]
   X-Envelope-Recipient: RCPT
  TO:orbs-relaytest%manawatu.co.nz@[200.18.178.4]
 
 You might be listed in ORBS, but I doubt this is why. If you're running qmail
 and haven't enabled percenthack, then this won't get you into ORBS.

It does in his case, because he relays to misconfigured sendmailboxes.

Greetz, Peter.

Re: ORBS - NOT!

[Piotr Kasztelowicz]

Hello

On Mon, 27 Nov 2000 [EMAIL PROTECTED] wrote:

 I don't know what sort of qmail install you are running but qmail does run
 without ORBS. In fact the default qmail does not have any ORBS testing. What
 must have happened is that someone specifically added the ORBS test on
 your server.

A standard settings presented in /var/qmail/boot does not provide
using ORBS, also if you will chosen appropriate for your box/dir
format rc file, shall all be OK.

I has gone more wait and I had added to smtp settings on tcpserver
lines

orbs.relay.nl:deny
manawatu.co.nz:deny

thus I have rejected all proofs of tests, if ORBS would perform

Best Wishes

Piotr
---
Piotr Kasztelowicz [EMAIL PROTECTED]
[http://www.am.torun.pl/~pekasz]

Re: ORBS helps hackers to break into srevers

[Russell Nelson]

Piotr Kasztelowicz writes:
  Qmail is one MTA only, which suports and propagates ORBS "moral"

Who does this?  Not me.  If anybody asks about ORBS, I tell them not
to use it.

-- 
-russ nelson [EMAIL PROTECTED]  http://russnelson.com
Crynwr sells support for free software  | PGPok | The best way to help the poor
521 Pleasant Valley Rd. | +1 315 268 1925 voice | is to help the rich build
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   | up their capital.

Re: ORBS - NOT!

[markd]

I don't know what sort of qmail install you are running but qmail does run
without ORBS. In fact the default qmail does not have any ORBS testing. What
must have happened is that someone specifically added the ORBS test on
your server.

You need to tell us more about your system. Specifically the startup
script for qmail-smtpd. If it's done in the usual manner, then it's
a one line change.


Regards.

 On Mon, Nov 27, 2000 at 06:28:42PM -0600, Chris Olson wrote:
 How do I configure qmail to *NOT* use ORBS.org for spam filtering?  I
 tried to remove the line in the startup scripts relating to ORBS, and
 the SMTP server refuses to run without it.  I don't want to start a
 flame war, but this outfit (ORBS) is blocking IP addresses unnecessarily
 - please read the following that I received from Road Runner... A rr
 user tried to send email to a domain that I host and it bounced because
 of ORBS and the 'HISTORY' outlined here.  I called Mark Herrick today
 and talked to him directly on the phone.  This is how I found out that
 qmail does this (uses ORBS) by default.  I *DO NOT* want my mail server
 using this outfit to filter spam..Mark had to use a hotmail address
 to contact me because of this 'filter' that ORBS has on their server.
 
 Any suggestions would be greatly appreciated.
 --
 Chris
 
 Begin pasted message
 **
 
 Subject: jerland.com blocking rr.com/mediaone.net via ORBS
 Date: Mon, 27 Nov 2000 10:30:16 -0500
 From: "W. Mark Herrick" [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 CC: [EMAIL PROTECTED]
 
 Hello,
 
 We are currently experiencing problems delivering email to jerland.com.
 This 
 is due to a manual block from the ORBS system of which jerland.com 
 subscribes. Although we have a thorough anti-SPAM policy and properly 
 address these issues, Road Runner has been manually added to the ORBS
 list 
 due to a request we made to the ORBS administrators. (see HISTORY) With 
 analysis and discussions with other providers, we believe that the
 impact of 
 the ORBS block is very minimal and easily corrected on a case-by-case
 basis. 
 We are currently only hearing 1 or 2 reports per week from our entire 
 customer base. We will take the information provided and work with each 
 provider to correct it with them directly.
 
 I can assure you that the IP address that ORBS is currently blocking is
 in 
 no way an open relay, and that it is being blocked solely due to ORBS' 
 testing servers being refused at our border routers. Road Runner takes
 the 
 issue of open relay servers very seriously, and, in addition to
 immediately 
 closing them as they are detected, performs proactive relay detection
 checks 
 on its own network. Likewise, Road Runner also takes the issue of 
 unauthorized probes very seriously, and as such has taken steps to
 minimize 
 potential abuse from outside sources. Many other major Internet Service 
 providers, such as Above.net, have taken this stance along with us. You
 may 
 wish to take a look at http://www.orbs.org/hallofshame.html to see who
 else 
 is "spite listed" by the ORBS project.
 
 ORBS is currently blocking Road Runner IP Addresses with a DNS "A"
 record of 
 127.0.0.4 - These are, according to the ORBS web site, considered 
 "untestable netblock entries" (see HISTORY). ORBS has, however, recently 
 made available a number of different "zones" that providers can
 currently 
 utilize to block unwanted SPAM mail from open relay sources, but that
 will 
 not block those "untestable netblock entries" sites such as Road Runner, 
 Above.Net, and Carnegie Mellon University.
 
 More information regarding these "zones" can be found at 
 http://www.orbs.org/usingindex.html - All that is necessary to make this 
 change is to modify your mail server to query the ORBS database at 
 "outputs.orbs.org" instead of "relays.orbs.org". This will NOT affect
 the 
 amount of SPAM that your servers block, only the amount of false
 positives 
 that are affecting our combined users.
 
 I would sincerely hope that you reconsider and/or restructure your use
 of 
 the ORBS project. I can be directly reached at 703-345-2477 if you wish
 to 
 discuss this further.
 
 Sincerely,
 W. Mark Herrick, Jr. [EMAIL PROTECTED]
   Operations Security Manager
  Team Lead - Usenet Operations
   Road Runner Security - 703.345.2477
 [EMAIL PROTECTED][EMAIL PROTECTED][EMAIL PROTECTED]
 
 HISTORY:
 
 Road Runner customers and Affiliates initially contacted us with a
 security 
 issue. They were concerned with their privacy and security when an
 unknown 
 entity (to them) began scanning them without permission. We initially
 tried 
 to address this case by case and later contacted the ORBS administrators
 and 
 requested this unwelcome scanning terminated. This is analogous to
 someone 
 requesting they be removed from a list that they did not subscribe to.
 With 
 this request, all Road Runner IP space was unexpectedly added to the
 ORBS 
 list 

Re: ORBS - NOT!

[Chris Johnson]

On Mon, Nov 27, 2000 at 06:28:42PM -0600, Chris Olson wrote:
 How do I configure qmail to *NOT* use ORBS.org for spam filtering?  I tried
 to remove the line in the startup scripts relating to ORBS, and the SMTP
 server refuses to run without it. 

There's no such thing as "the" line in the startup script relating to ORBS, and
nobody has any idea what your particular startup line looked like before or
what it looks like now.

Why don't you tell us?

Chris

Re: ORBS - NOT!

[Chris Olson]

Chris Johnson wrote:
 
 There's no such thing as "the" line in the startup script relating to ORBS, and
 nobody has any idea what your particular startup line looked like before or
 what it looks like now.

OK.  I assumed that all installations of qmail used this.  I'm running a
Corel Server Version (Debian) Linux box and qmail 1.03 came with the
distribution.  This is a fresh install and the script has not been
modified.  The startup script is /etc/init.d/qmail   Here's a copy of
the startup script for your review.
--
Chris

#!/bin/sh

if [ -f /var/qmail/control/qmail_environment ]; then
/var/qmail/control/qmail_environment
fi
QMAILDUID=`id -u qmaild`
QMAILDGID=`id -g qmaild`

case "$1" in
start)
echo -n "Starting qmail: qmail-send"
csh -cf '/var/qmail/rc '

killall  supervise  /dev/null
killall  tcpserver  /dev/null
supervise /var/lock/qmail-smtpd tcpserver -v -x/etc/tcp.smtp.cdb
-u$QMAILDUID -g$QMAILDGID 0 25 \
rblsmtpd -rrelays.orbs.org /var/qmail/bin/qmail-smtpd 21 | setuser
qmaill accustamp | \
setuser qmaill cyclog -s500 -n5 /var/log/qmail/qmail-smtpd 

echo  "."
;;
stop)
echo -n "Stopping mail-transfer agent: qmail"
killall -TERM qmail-send

echo "."
;;
restart)
$0 stop
$0 start
;;
reload|force-reload)
echo "Reloading 'locals' and 'virtualdomains' control files."
killall -HUP qmail-send
;;
*)
echo 'Usage: /etc/init.d/qmail {start|stop|restart|reload}'
exit 1
esac
exit 0

Re: ORBS - NOT!

[markd]

On Mon, Nov 27, 2000 at 07:01:20PM -0600, Chris Olson wrote:
 Chris Johnson wrote:
  
  There's no such thing as "the" line in the startup script relating to ORBS, and
  nobody has any idea what your particular startup line looked like before or
  what it looks like now.
 
 OK.  I assumed that all installations of qmail used this.  I'm running a
 Corel Server Version (Debian) Linux box and qmail 1.03 came with the
 distribution.  This is a fresh install and the script has not been

Great. Yet more Frankinmail...

Change this line:

rblsmtpd -rrelays.orbs.org /var/qmail/bin/qmail-smtpd 21 | setuser

to:

/var/qmail/bin/qmail-smtpd 21 | setuser

then restart.


Regards.

Re: ORBS - NOT!

[Ben Beuchler]

On Mon, Nov 27, 2000 at 07:01:20PM -0600, Chris Olson wrote:

 OK.  I assumed that all installations of qmail used this.  I'm running a
 Corel Server Version (Debian) Linux box and qmail 1.03 came with the
 distribution.  This is a fresh install and the script has not been
 modified.  The startup script is /etc/init.d/qmail   Here's a copy of
 the startup script for your review.

snip

 supervise /var/lock/qmail-smtpd tcpserver -v -x/etc/tcp.smtp.cdb
 -u$QMAILDUID -g$QMAILDGID 0 25 \
 rblsmtpd -rrelays.orbs.org /var/qmail/bin/qmail-smtpd 21 | setuser

Two options: replace "-rrelays.orbs.org" with "-routputs.orbs.org" or
delete "rblsmtpd -rrelays.orbs.org" from the line, leaving the rest
intact.

The first option would continue to give you the benefit of spam
filtering without blocking the 'manual list' and the second option would
remove RBL filtering entirely.

Ben


-- 
Ben Beuchler [EMAIL PROTECTED]
MAILER-DAEMON (612) 321-9290 x101
Bitstream Underground   www.bitstream.net

Re: ORBS - NOT!

[Henning Brauer]

Am Dienstag, 28. November 2000 02:01 schrieb Chris Olson:

 rblsmtpd -rrelays.orbs.org /var/qmail/bin/qmail-smtpd 21 | setuser
 qmaill accustamp | \
 setuser qmaill cyclog -s500 -n5 /var/log/qmail/qmail-smtpd 

Sorry Chris,

how braindead are you? Is it really _so_ hard to see where orbs is used here? 
You should have read a least the documentation before wasting bandwidth and 
our time.
 
-- 

Henning Brauer |  BS Web Services
Hostmaster BSWS  |  Roedingsmarkt 14
[EMAIL PROTECTED]  |  20459 Hamburg
www.bsws.de|  Germany

Re: ORBS - NOT!

[Ben Beuchler]

On Tue, Nov 28, 2000 at 05:42:58AM +0100, Henning Brauer wrote:

 Am Dienstag, 28. November 2000 02:01 schrieb Chris Olson:
 
  rblsmtpd -rrelays.orbs.org /var/qmail/bin/qmail-smtpd 21 | setuser
  qmaill accustamp | \
  setuser qmaill cyclog -s500 -n5 /var/log/qmail/qmail-smtpd 
 
 Sorry Chris,
 
 how braindead are you? Is it really _so_ hard to see where orbs is used here? 
 You should have read a least the documentation before wasting bandwidth and 
 our time.

plonk

-- 
Ben Beuchler [EMAIL PROTECTED]
MAILER-DAEMON (612) 321-9290 x101
Bitstream Underground   www.bitstream.net

Re: ORBS helps hackers to break into srevers

[Piotr Kasztelowicz]

On Mon, 20 Nov 2000, Adam McKenna wrote:

 Hello, this list is for discussion of qmail, if you wish to discuss orbs
 please take this to SPAM-L or elsewhere.

The answer for all subscibers, Adam, I am not sure that this is disscusion
for spam-l rather than qmail list.

Qmail is one MTA only, which suports and propagates ORBS "moral" and
technical thus availablility to connect with qmail platform to ORBS
and reject mail from listed by ORBS hosts.

Neither sendmail nor postfix is interested with ORBS anty-spam system
and don't support ORBS. The ORBS system is also by sendmail's and
postfix's team not accepted. There only qmail administrators may
use ORBS.

If qmail team will resign to support ORBS their criminal story
will be finished. Also you as qmail propagator too has more
to deceide with them. This is also great question to you. 

In my opinion ORBS - there are hackers supporters and first of
all the hackers use the effects of its test to search "good" for
hacking hosts. I have presented it on this list. Addtionaly - this
is difficult to discuss with ORBS, while no person's name, who
manage with them has been listed on ORBS WWW page.
This is realy last posting form me on this subject and I think
all has been said. I hope to be reason to think about this problem,
which depends me personal and as I suppose the many host's admin

Piotr Kasztelowicz, MD
Vicepresident of Polish Medical Internet Society
---
Piotr Kasztelowicz [EMAIL PROTECTED]
[http://www.am.torun.pl/~pekasz]

Re: ORBS helps hackers to break into srevers

[OK 2 NET - André Paulsberg]

 Qmail is one MTA only, which suports and propagates ORBS "moral" and
 technical thus availablility to connect with qmail platform to ORBS
 and reject mail from listed by ORBS hosts.

 Neither sendmail nor postfix is interested with ORBS anty-spam system and don't 
support ORBS.
 The ORBS system is also by sendmail's and postfix's team not accepted.
 There only qmail administrators may use ORBS.

This is NOT true, and you are way off mark.

1. There is no official support of ORBS to my knowledge from QMAIL and its authors,
   not in the way you are implying in your posting to this list.

2. Sendmail and postfix and ALL other mailprograms/MTA's that support RBL-type 
blocking,
   will automaticly support ORBS and any other lists like it.

3. There are several conserend QMAIL admins how desperatly try to make their
   workload less affected by other mail-administrators poorly secured servers.

4. There are several other mail admins that run other MTA-software,
   who also run with ORBS with or without the "support" of the MTA-vendor.


 If qmail team will resign to support ORBS their criminal story will be finished.
 Also you as qmail propagator too has more to deceide with them.
 This is also great question to you.

You seem to mean that ORBS has done something wrong to you and/or others,
yet you have little or no evidence of your claims about criminal activities.


 In my opinion ORBS - there are hackers supporters and first of all the
 hackers use the effects of its test to search "good" for hacking hosts.

You seemed to have messed up you server and are now blaming ORBS for it,
your hacker visits could JUST aswell found your server like they did
BEFORE you where reported to ORBS and subsequently listed there.


 I have presented it on this list.
 Addtionaly - this is difficult to discuss with ORBS,
 while no person's name, who manage with them has been listed on ORBS WWW page.

His name is Alan Brown, and on his www.orbs.org page he has a [EMAIL PROTECTED]
as the contact address which should get you in contact with the adminitrators.


 This is realy last posting form me on this subject and I think
 all has been said. I hope to be reason to think about this problem,
 which depends me personal and as I suppose the many host's admin

You should realy get your server RE-TESTET, if it is secure it will
be removed but this is only possible if you are NOT blocking ORBS.

Your earlyer mails said you where blocking ORBS,
maybe ORBS administrators are TRYING to get in contact with you?


Regards André Paulsberg

Re: ORBS helps hackers to break into srevers

[Johan Almqvist]

[sorry but this was just too much...]

On Mon, Nov 20, 2000 at 01:33:22PM +0100, Piotr Kasztelowicz wrote:
 Qmail is one MTA only, which suports and propagates ORBS "moral" and
 technical thus availablility to connect with qmail platform to ORBS
 and reject mail from listed by ORBS hosts.
 Neither sendmail nor postfix is interested with ORBS anty-spam system
 and don't support ORBS. The ORBS system is also by sendmail's and
 postfix's team not accepted. There only qmail administrators may
 use ORBS.

That is WRONG. I use ORBS on a number of servers that run sendmail,
postfix and Exim. It works like a charm, keeps out spam and has a few too
many false positives, which come in thru my secondary MX's (real spammers
don't usually retry sending to a fallback host...)

 If qmail team will resign to support ORBS their criminal story
 will be finished. Also you as qmail propagator too has more
 to deceide with them. This is also great question to you. 

Who is the qmail team? I have never heard of them and would like to make
their acquaintance.

 In my opinion ORBS - there are hackers supporters and first of
 all the hackers use the effects of its test to search "good" for
 hacking hosts. I have presented it on this list. Addtionaly - this
 is difficult to discuss with ORBS, while no person's name, who
 manage with them has been listed on ORBS WWW page.
 This is realy last posting form me on this subject and I think
 all has been said. I hope to be reason to think about this problem,
 which depends me personal and as I suppose the many host's admin

Can you please provide proof for ORBS supporting script kiddies?

If you mean that the OBRS list of potential relaying host as such
constitutes help to script kiddies, why does this not apply to other RBL
lists? And what technical solution to spreading such lists of IP's in a
secure manner do you propose?

 Piotr Kasztelowicz, MD
 Vicepresident of Polish Medical Internet Society

-Johan Almqvist
First Executive President of the International Swedish Society for Spam
Prevention, Yet To Be Founded.
-- 
Johan Almqvist

Re: ORBS helps hackers to break into srevers

[Adam McKenna]

On Mon, Nov 20, 2000 at 01:33:22PM +0100, Piotr Kasztelowicz wrote:
 On Mon, 20 Nov 2000, Adam McKenna wrote:
 
  Hello, this list is for discussion of qmail, if you wish to discuss orbs
  please take this to SPAM-L or elsewhere.
 
 The answer for all subscibers, Adam, I am not sure that this is disscusion
 for spam-l rather than qmail list.

*PLONK*

--Adam

Re: ORBS helps hackers to break into srevers

[Alex Pennace]

On Mon, Nov 20, 2000 at 07:08:33AM +0100, Piotr Kasztelowicz wrote:
 It not difficult to spuppose, that if MTA were old and
 insecure=possible for open relay the rest of sotwares
 are insecure too.

There are many insecure hosts that are not on the ORBS list simply
because they are not running an open relay. There are many hosts
listed in ORBS that are otherwise secure but someone made an
oopsie. In particular, I believe many older but still prevalent Linux
distributions came with MTAs that were open relays by default but were
otherwise secure.

 There is problem with them, tha
 the list of "relay host's" is widely published on net,
 instead to send it interested admin.

Let's entertain your thoughts on security: if a host is truly
comprimised either by being an open relay or other vulnerability, why
should other hosts have to endure abuse from it? ORBS allows other
administrators to block out a certain subset of hosts.

And even without ORBS there are still plenty of ways for the local
script kiddie to find your system.

 PGP signature

Re: ORBS helps hackers to break into srevers

[Piotr Kasztelowicz]

On Mon, 20 Nov 2000, OK 2 NET - André Paulsberg wrote:

 This is NOT true, and you are way off mark.
 
 1. There is no official support of ORBS to my knowledge from QMAIL and its authors,
not in the way you are implying in your posting to this list.
 
 2. Sendmail and postfix and ALL other mailprograms/MTA's that support RBL-type 
blocking,
will automaticly support ORBS and any other lists like it.

OK, you are right, I'm sorry

Piotr
---
Piotr Kasztelowicz [EMAIL PROTECTED]
[http://www.am.torun.pl/~pekasz]

Re: ORBS helps hackers to break into srevers

[Alex Pennace]

On Mon, Nov 20, 2000 at 01:35:20AM +0100, Piotr Kasztelowicz wrote:
 I will say about my experience with ORBS (as network administrator) 
 because the peoples associated with qmail have given good recommendation
 to
 use and base on ORBS as good anti-spam method. 
 
 I let to be another opinion!
 
 After crush of one of Polish Cardiac Society's Server placed in Lodz (I
 administrate others servers) I have been asked to help with
 administrating
 and making secure of this host. Till September it was really insecure
 and indicated
 (as I think and see) by ORBS as insecure.

Okay, so ORBS thought the previous incarnation of the mail host was an
open relay.

 Exactly - not excluded - that
 already
 this time helped it hackers "to find it as easy to break".

You mean by relaying through the server? I believe ORBS only divulges
open relay IPs when the hosts in question persist in being open
relays. Presuming your server didn't reach that point, the only way
spammers could have found it was by looking up your IP at random
through the ORBS DNS or by scanning the net.

 Since October, after crush I have installed - nota bene recommended by
 ORBS
 and this mailing list software - so, qmail as mail system and tcpserver
 provided to secure qmail as well as telnetd, ftpfd and others insecure 
 Internet's daemons. 

Gotcha.

 November 5,  I have observed the proof of port scanning thus relay-test
 by
 ORBS. There are accepted by secured against open relay smtp, because
 ORBS
 applied to allocate addresses with domain of tested host (also
 @lodz.ptkardio.pl).

Ok.

 The test was continued till November 9, This time I was taken away from
 my Hospital - I was participating at Polish Medical Internet Conference,
 where
 I have said about qmail and tcpserver as good security system to
 Internet servers too.
 
 "Nov  5 10:49:13 sun smtp: tcpserver: ok 16751 :212.51.193.152:25
 relaytest.orbs.
 vuurwerk.nl:194.178.232.55::4445"
 
 
 This time was the proof to attack this server, prior "tested by orbs"

That log snippet only shows that ORBS connected to your SMTP
service. That is hardly an attack.

 The hackers have not broken the tcpserver, but system are not responding
 and this time we can't give our reaction. Now when the friends from Lodz
 had rebooted the server, it has been worked correctly. I was beginning
 to analyze of logs
 
 The logs have indicated the Romania as hackers place:
 
 "Nov  9 12:13:05 sun telnet: tcpserver: deny 18305 :212.51.193.152:23
 falconsrl.r
 dsnet.ro:193.231.236.12::3802"
 
 All has been after this attack in short time restored. But in some time
 ORBS was beginning
 again the test. And in this same time I have observed again more proofs
 of hacking -
 good luck - without damaging.

That's ridiculous. How could a failed connection attempt from a host
in Romania be considered a crack attempt? What does it have to do with
ORBS?

 I have send to ORBS the requests to cancel me from their data base and
 stop with
 testing, because I'm of opinion, that this data base use first of all
 hackers.

You can certainly ask them to stop testing, but the ORBS database
doesn't keep top secret information, it is just a list of IPs. There
are many interesting hosts out there, most of which aren't listed in
ORBS.

 If during test has been by me observed increased activity of attack I
 can suppose,
 that hackers this time have information which host is tested and which
 one host is
 established as insecure. Where!

ORBS only lists hosts that are open mail relays. ORBS doesn't check
for any other vulnerabilities.

 I have blocked smtp machines to bounce all mail's from ORBS: Effect is
 good, but
 ORBS apply be still active:
 
 "Nov 20 00:22:39 sun smtp: tcpserver: deny 7226 :212.51.193.152:25
 mail2.manawatu
 .net.nz:202.36.148.21:postmaster:1932"
 
 WHY!

Is that even an ORBS tester, or are you now blocking legitimate mail?

 PLEASE DON'T RECOMMEND ATE ORBS. There are criminal activity. My host
 can by
 during its appreciation damaged!

129.63.206.57. That's an IP, I just listed an IP. Am I a criminal?

The story I got so far is ORBS tested your machine and found it to be
an open relay. You fixed it and ORBS tested you again. Meanwhile there
were isolated connection attempts from Romania and a system crash you
haven't firmly correlated to anything else.

Given those facts, solar flares seems a more plausible culprit than ORBS.

 PGP signature

Re: ORBS helps hackers to break into srevers

[Piotr Kasztelowicz]

On Sun, 19 Nov 2000, Alex Pennace wrote:

 The story I got so far is ORBS tested your machine and found it to be
 an open relay. You fixed it and ORBS tested you again. Meanwhile there
 were isolated connection attempts from Romania and a system crash you
 haven't firmly correlated to anything else.
 

The hackers read ORBS data base called by its "insecure hosts"
and apply to break hosts direclty from list!

The ORBS insecure hosts' data base is possible to read for all,
but I think logic, that should be first of all for administator
of indicated host, and when they made nothing to improve security,
then could be disscused to inform about such host widely.

Also answer the question why, the hackers finished with proofs,
when I have blocked complete access to my host for ORBS?

And why I'm existing still in data base of insecure hosts,
when my host is already secure and works on recommended software
(qmail, tcpserver)? I'm existing, because I let me to request
to finish scanning smtp my host and I'm established by ORBS
as "bad"?

I think, that Internet's societies should be sensitive for
all organization on Net, wich gives itself the privileges
to say where is correct and where is incorect. 

Best Wishes

Piotr
---
Piotr Kasztelowicz [EMAIL PROTECTED]
[http://www.am.torun.pl/~pekasz]

Re: ORBS helps hackers to break into srevers

[Alex Pennace]

On Mon, Nov 20, 2000 at 02:14:57AM +0100, Piotr Kasztelowicz wrote:
 The hackers read ORBS data base called by its "insecure hosts"
 and apply to break hosts direclty from list!

ORBS only lists hosts that are open mail relays. ORBS doesn't list
hosts that are not open relays but have other vulnerabilities.

ORBS is not a list of hosts with insecure telnet daemons.

ORBS is not a list of hosts with insecure ftp daemons.

 The ORBS insecure hosts' data base is possible to read for all,
 but I think logic, that should be first of all for administator
 of indicated host, and when they made nothing to improve security,
 then could be disscused to inform about such host widely.

ORBS is meant to blacklist problem hosts immediately, to curtail
damage to other systems.

 Also answer the question why, the hackers finished with proofs,
 when I have blocked complete access to my host for ORBS?

Maybe the "hackers" have nothing to do with ORBS. Your only shred
of proof is a connection attempt to telnet from Romania.

 And why I'm existing still in data base of insecure hosts,
 when my host is already secure and works on recommended software
 (qmail, tcpserver)? I'm existing, because I let me to request
 to finish scanning smtp my host and I'm established by ORBS
 as "bad"?

Send mail to ORBS and try to resolve this with them.

 PGP signature

Re: ORBS helps hackers to break into srevers

[Piotr Kasztelowicz]

Hello

 ORBS only lists hosts that are open mail relays. ORBS doesn't list
 hosts that are not open relays but have other vulnerabilities.
 
 ORBS is not a list of hosts with insecure telnet daemons.
 
 ORBS is not a list of hosts with insecure ftp daemons.

It not difficult to spuppose, that if MTA were old and
insecure=possible for open relay the rest of sotwares
are insecure too. There is problem with them, tha
the list of "relay host's" is widely published on net,
instead to send it interested admin.

 Send mail to ORBS and try to resolve this with them.

ORBS has ignored all letters and will not stop scanning
of my host

Best Wishes

Piotr
---
Piotr Kasztelowicz [EMAIL PROTECTED]
[http://www.am.torun.pl/~pekasz]

Re: ORBS helps hackers to break into srevers

[Adam McKenna]

On Mon, Nov 20, 2000 at 07:08:55AM +0100, Piotr Kasztelowicz wrote:
  Send mail to ORBS and try to resolve this with them.
 
 ORBS has ignored all letters and will not stop scanning
 of my host

Hello, this list is for discussion of qmail, if you wish to discuss orbs
please take this to SPAM-L or elsewhere.

Thanks,

--Adam

-- 
Adam McKenna [EMAIL PROTECTED] | "No matter how much it changes, 
http://flounder.net/publickey.html   |  technology's just a bunch of wires 
GPG: 17A4 11F7 5E7E C2E7 08AA|  connected to a bunch of other wires."
 38B0 05D0 8BF7 2C6D 110A|  Joe Rogan, _NewsRadio_
  1:28am  up 162 days, 23:44, 12 users,  load average: 0.07, 0.10, 0.37

Re: orbs and qmail

[Nathan J. Mehl]

In the immortal words of Kevin Waterson ([EMAIL PROTECTED]):
  
  ORBS doesn't use the abuse.net tests to determine who is
  an open relay.  
 To quote from the ORBS site
 Try Abuse.Net's new relay tester (requires registration). This is the
 only web-based tester which carries out the same set of tests which ORBS
 does. 

The text on the orbs.org website is, unfortunatly, misleading.  Alan
Brown, the person who is ORBS, has given more cogent explanations of
how the tester works on various mailing lists and newsgroups.

ORBS uses the abuse.net tester...with one VERY important difference:
they actually check to see if the relayed message is received at the
final destination address.  The fact that qmail "accepts" the message
will NOT result in being listed by ORBS: the message would actually
have to be incorrectly relayed for that to happen.

Hopefully, it should be self-evident why the abuse.net tester does not
do this.  (Hint: it would make a great mailbombing service.)

There are many legitimate complaints that people have had about ORBS'
behavior (such as "spite listings" and the fact that its tests
generate spam to postmasters of correctly configured machines), but
even ORBS' most vocal detractors (and I have been one of those) do not
believe that a correctly configured qmail server will, on its own,
generate an ORBS listing.

-n

--[EMAIL PROTECTED]
And when love is gone, there's always justice.  And when justice is gone
there's always force.  And when force is gone, threre's always mom.  Hi mom!
 (--Laurie Anderson)
http://www.blank.org/memory/--

RE: orbs and qmail

[frob]

On 20-Oct-2000 Kevin Waterson wrote:
 
 I made a check of the server and all was well but
 when I checked it from the facility at
 abuse.net I found it was reporting an open relay.
 
 The problem it seems stems from qmails handling of
 one of the tests has qmail accepting the mail and
 dealing with it internally, so that probably ever
 qmail server will eventually end up listed on orbs,
 with an incorrectly assumed open relay.

ORBS doesn't use the abuse.net tests to determine who is
an open relay.  Typically, ORBS requires the delivery of a
piece of email via the alleged open relay before adding
that host ot its list.  A properly configured qmail server
will not act as an open relay even as it fails the abuse.net
test.

Having said that, it is possible to be listed even if your
server is not an open relay, usually because one of your
clients is open, and they are using your server for outbound
mail.  Simply correct your clients config and signal your
server as fixed via the ORBS web page.  For a more permament
fix, run ORBS on your servers against your clients, and list
your servers(s) as ORBS hubs.

 But we needed action quickly as users were complaining
 so we had to switch our primary server to sendmail, to
 avoid any confusion.
 
 Now, if Orbs are incorrectly listing services perhaps
 we here need to follow up with our legal people.

This is a charge frequently levelled at ORBS; indeed,
our servers have been incorrectly listed twice.  However,
once was a typographical error on the part of an admin, and
the other because a netblock was listed with the wrong
ownership at the relevant authority.  In both cases, the
error was quickly attended to by ORBS admin.

-- 
Rick Lyons
WebCentral

Re: orbs and qmail

[Adam McKenna]

On Fri, Oct 20, 2000 at 03:36:23PM +1100, Kevin Waterson wrote:
 Recently, after running qmail for 3 years on our
 primary mail server, we found ourselves listed on orbs.
 It seems we were acting as an open relay and that
 many mailers were simply bouncing mail from our
 domain.
 
 I made a check of the server and all was well but
 when I checked it from the facility at
 abuse.net I found it was reporting an open relay.
 
 The problem it seems stems from qmails handling of
 one of the tests has qmail accepting the mail and
 dealing with it internally, so that probably ever
 qmail server will eventually end up listed on orbs,
 with an incorrectly assumed open relay.

No.  This is NOT the reason you were listed.  Hosts are added to ORBS only
AFTER the relay test is received back by the tester.

--Adam

-- 
Adam McKenna [EMAIL PROTECTED] | "No matter how much it changes, 
http://flounder.net/publickey.html   |  technology's just a bunch of wires 
GPG: 17A4 11F7 5E7E C2E7 08AA|  connected to a bunch of other wires."
 38B0 05D0 8BF7 2C6D 110A|  Joe Rogan, _NewsRadio_
  3:16am  up 132 days, 32 min, 10 users,  load average: 0.07, 0.03, 0.00

Re: orbs and qmail

[Kevin Waterson]

[EMAIL PROTECTED] wrote:
 
 On 20-Oct-2000 Kevin Waterson wrote:
 
  I made a check of the server and all was well but
  when I checked it from the facility at
  abuse.net I found it was reporting an open relay.
 
  The problem it seems stems from qmails handling of
  one of the tests has qmail accepting the mail and
  dealing with it internally, so that probably ever
  qmail server will eventually end up listed on orbs,
  with an incorrectly assumed open relay.
 
 ORBS doesn't use the abuse.net tests to determine who is
 an open relay.  
To quote from the ORBS site
Try Abuse.Net's new relay tester (requires registration). This is the
only web-based tester which carries out the same set of tests which ORBS
does. 

Typically, ORBS requires the delivery of a
 piece of email via the alleged open relay before adding
 that host ot its list.  A properly configured qmail server
 will not act as an open relay even as it fails the abuse.net
 test.
So what is point of having a test that does not give correct
results? It would seem any qmail server will fail the test as
qmail will accept the miscreant mail and deal with it internally.
This behaviour, according to ORBS, will have you listed as an
open relay.


-- 
Kind regards

Kevin Waterson

Re: orbs and qmail

[Adam McKenna]

On Sat, Oct 21, 2000 at 07:41:09AM +1100, Kevin Waterson wrote:
 Typically, ORBS requires the delivery of a
  piece of email via the alleged open relay before adding
  that host ot its list.  A properly configured qmail server
  will not act as an open relay even as it fails the abuse.net
  test.
 So what is point of having a test that does not give correct
 results? It would seem any qmail server will fail the test as
 qmail will accept the miscreant mail and deal with it internally.
 This behaviour, according to ORBS, will have you listed as an
 open relay.

Are you a moron, or can you just not read?  Do I have to quote from the ORBS
web site?

"ORBS only counts a host as open if it actually delivers the test messages.
Bounces are ignored for databasing purposes. Most of the online testers which 
perform multiple tests stop as soon as one envelope is accepted, so may give 
misleading results if they don't actually check for delivery and continue the 
test sequence if the message isn't delivered."

http://www.orbs.org/envelopes.html

--Adam

-- 
Adam McKenna [EMAIL PROTECTED] | "No matter how much it changes, 
http://flounder.net/publickey.html   |  technology's just a bunch of wires 
GPG: 17A4 11F7 5E7E C2E7 08AA|  connected to a bunch of other wires."
 38B0 05D0 8BF7 2C6D 110A|  Joe Rogan, _NewsRadio_
  4:47pm  up 132 days, 14:02,  9 users,  load average: 0.00, 0.00, 0.00

Re: orbs and qmail

[John R. Levine]

I made a check of the server and all was well but
when I checked it from the facility at
abuse.net I found it was reporting an open relay.

Sigh.  He must be referring to the place that says in large ugly
blinking letters:

 BLINKBTHIS MAY OR MAY NOT MEAN THAT IT'S AN OPEN RELAY./B/BLINK

  If it is really an open relay, the test message will be delivered to
  you. If you do not receive the test message in your e-mail in the next
  few hours, it BIS NOT/B an open relay.

I wish there were some way I could make this stuff more idiot
resistant, but some idiots can resist anything.

Regards,
John Levine, [EMAIL PROTECTED], http://www.abuse.net, Trumansburg NY
abuse.net postmaster

Re: orbs and qmail

[Chris Thorman]

Are your tcprules set up correctly to deny open relaying to everyone except your 
internal users?  Is your /var/qmail/control/rcpthosts set up correctly?

If not, then you may be acting as an open relay.

-c


At 3:36 PM +1100 10/20/00, Kevin Waterson wrote:
Recently, after running qmail for 3 years on our
primary mail server, we found ourselves listed on orbs.
It seems we were acting as an open relay and that
many mailers were simply bouncing mail from our
domain.

I made a check of the server and all was well but
when I checked it from the facility at
abuse.net I found it was reporting an open relay.

The problem it seems stems from qmails handling of
one of the tests has qmail accepting the mail and
dealing with it internally, so that probably ever
qmail server will eventually end up listed on orbs,
with an incorrectly assumed open relay.

But we needed action quickly as users were complaining
so we had to switch our primary server to sendmail, to
avoid any confusion.

Now, if Orbs are incorrectly listing services perhaps
we here need to follow up with our legal people.

Kind regards

Kevin Waterson



Chris Thorman   (413) 473-0853 e-fax

RE: ORBS

[Alexander Jernejcic]

hi,
to put in in a nutshell:
put domains to receive mails for into ~/control/rcpthosts
put ip-adressess for which you wish to relay into /etc/tcp.smtp.cdb
don't use the relaymailfrom-patch  - ORBS checks this! self-experience ;) 

[room for steps anyone else would add]

;) a

==
Alexander Jernejcic  
email:[EMAIL PROTECTED]

begin LOVE-LETTER-UND-NIX-DAZUGELERNT.txt.vbs
I am a Signature, not a Virus!
end

==

 -Original Message-
 From: Mark Walsh [mailto:[EMAIL PROTECTED]]
 Sent: Saturday, October 07, 2000 10:41 PM
 To: Qmail
 Subject: ORBS
 
 
 I seen a lot of discussion on the ORBS issue in the past.  However, did any
 ever post the solution to closing the relay for spam?  Make the instructions
 clear for this newbie will you?
 
 Mark Walsh
 slowly learning linux...
 
 

RE: ORBS

[Brett Randall]

I never was following this thread...but read the archives.
http://www-archive.ornl.gov:8000/

/BR

 
Manager
InterPlanetary Solutions
http://ipsware.com/


 -Original Message-
 From: Mark Walsh [mailto:[EMAIL PROTECTED]]
 Sent: Sunday, October 08, 2000 6:41 AM
 To: Qmail
 Subject: ORBS
 
 
 I seen a lot of discussion on the ORBS issue in the past.  
 However, did any
 ever post the solution to closing the relay for spam?  Make the 
 instructions
 clear for this newbie will you?
 
 Mark Walsh
 slowly learning linux...
 
 

Re: ORBS doesn't like me :(

[Vince Vielhaber]

On Tue, 5 Sep 2000, Andy Meuse wrote:

 Hi All,
 
 I just recieved an email from ORBS branding my mail server and open relay. I
 looked in my tcp.smtp and I think I know why.
 
 172.16.3.:allow,RELAYCLIENT=""
 4.17.165.0.:allow,RELAYCLIENT=""
 207.244.122.53.:allow,RELAYCLIENT=""
 :allow
 
 I would imagine it's that allow on the last line right?

wrong.  The relayclient variable isn't set in it.  What do you 
have in /var/qmail/control/rcpthosts?

Vince.
-- 
==
Vince Vielhaber -- KA8CSHemail: [EMAIL PROTECTED]http://www.pop4.net
 128K ISDN from $22.00/mo - 56K Dialup from $16.00/mo at Pop4 Networking
Online Campground Directoryhttp://www.camping-usa.com
   Online Giftshop Superstorehttp://www.cloudninegifts.com
==

Re: ORBS doesn't like me :(

[Alexander Pennace]

On Tue, Sep 05, 2000 at 10:26:55AM -0400, Andy Meuse wrote:
 I just recieved an email from ORBS branding my mail server and open relay I
 looked in my tcp.smtp and I think I know why.
 
 172.16.3.:allow,RELAYCLIENT=""
 4.17.165.0.:allow,RELAYCLIENT=""
 207.244.122.53.:allow,RELAYCLIENT=""
 :allow
 
 I would imagine it's that allow on the last line right?

No, that just tells tcpserver whether to accept or reject the
connection completely. What does /var/qmail/control/rcpthosts say?

 PGP signature

RE: ORBS doesn't like me :(

[Andy Meuse]

Hmmm. I removed my rcpthosts file.

 On Tue, Sep 05, 2000 at 10:26:55AM -0400, Andy Meuse wrote:
  I just recieved an email from ORBS branding my mail server 
 and open relay I
  looked in my tcp.smtp and I think I know why.
  
  172.16.3.:allow,RELAYCLIENT=""
  4.17.165.0.:allow,RELAYCLIENT=""
  207.244.122.53.:allow,RELAYCLIENT=""
  :allow
  
  I would imagine it's that allow on the last line right?
 
 No, that just tells tcpserver whether to accept or reject the
 connection completely. What does /var/qmail/control/rcpthosts say?
 

Re: ORBS doesn't like me :(

[Johan Almqvist]

On Tue, Sep 05, 2000 at 10:26:55AM -0400, Andy Meuse wrote:
 Hi All,
 
 I just recieved an email from ORBS branding my mail server and open relay. I
 looked in my tcp.smtp and I think I know why.
 
 172.16.3.:allow,RELAYCLIENT=""
 4.17.165.0.:allow,RELAYCLIENT=""
 207.244.122.53.:allow,RELAYCLIENT=""

Why the . (dot) after a complete IP adress? Could that be messing things up?
Also, what does control/percenthack say?

-Johan
-- 
Johan Almqvist

Re: ORBS doesn't like me :(

[Dave Sill]

"Andy Meuse" [EMAIL PROTECTED] wrote:

I just recieved an email from ORBS branding my mail server and open relay. I
looked in my tcp.smtp and I think I know why.

172.16.3.:allow,RELAYCLIENT=""
4.17.165.0.:allow,RELAYCLIENT=""
207.244.122.53.:allow,RELAYCLIENT=""
:allow

I would imagine it's that allow on the last line right?

You would imagine incorrectly, then. :-) That last line just says that 
your SMTP service is open to the public--which is SOP for SMTP
servers.

You must have some other problem, like a ~alias/.qmail-default that
reroutes otherwise undeliverable mail to another host that implements
% or ! addressing.

The message from ORBS should contain the offending message, which
should show the problem.

-Dave

Re: ORBS doesn't like me :(

[Peter van Dijk]

On Tue, Sep 05, 2000 at 10:37:32AM -0400, Andy Meuse wrote:
 Hmmm. I removed my rcpthosts file.

Put it back. Without an rcpthosts file, you are an open relay.

Greetz, Peter.
--

RE: ORBS doesn't like me :(

[Vince Vielhaber]

On Tue, 5 Sep 2000, Andy Meuse wrote:

 Hmmm. I removed my rcpthosts file.

Put it back.  Any of the IP addresses in tcp.smtp will bypass it if
the RELAYCLIENT variable is set.  

Vince.

 
  On Tue, Sep 05, 2000 at 10:26:55AM -0400, Andy Meuse wrote:
   I just recieved an email from ORBS branding my mail server 
  and open relay I
   looked in my tcp.smtp and I think I know why.
   
   172.16.3.:allow,RELAYCLIENT=""
   4.17.165.0.:allow,RELAYCLIENT=""
   207.244.122.53.:allow,RELAYCLIENT=""
   :allow
   
   I would imagine it's that allow on the last line right?
  
  No, that just tells tcpserver whether to accept or reject the
  connection completely. What does /var/qmail/control/rcpthosts say?
  
 

-- 
==
Vince Vielhaber -- KA8CSHemail: [EMAIL PROTECTED]http://www.pop4.net
 128K ISDN from $22.00/mo - 56K Dialup from $16.00/mo at Pop4 Networking
Online Campground Directoryhttp://www.camping-usa.com
   Online Giftshop Superstorehttp://www.cloudninegifts.com
==

Re: ORBS doesn't like me :(

[Ricardo Cerqueira]

On Tue, Sep 05, 2000 at 10:37:32AM -0400, Andy Meuse wrote:
 Hmmm. I removed my rcpthosts file.


There's your answer. You opened you relay to all domains when you did that.

RC
 
  On Tue, Sep 05, 2000 at 10:26:55AM -0400, Andy Meuse wrote:
   I just recieved an email from ORBS branding my mail server 
  and open relay I
   looked in my tcp.smtp and I think I know why.
   
   172.16.3.:allow,RELAYCLIENT=""
   4.17.165.0.:allow,RELAYCLIENT=""
   207.244.122.53.:allow,RELAYCLIENT=""
   :allow
   
   I would imagine it's that allow on the last line right?
  
  No, that just tells tcpserver whether to accept or reject the
  connection completely. What does /var/qmail/control/rcpthosts say?
  

-- 
+---
| Ricardo Cerqueira  
| PGP Key fingerprint  -  B7 05 13 CE 48 0A BF 1E  87 21 83 DB 28 DE 03 42 
| Novis  -  Engenharia ISP / Rede Técnica 
| Pç. Duque Saldanha, 1, 7º E / 1050-094 Lisboa / Portugal
| Tel: +351 21 010 - Fax: +351 21 011

 PGP signature

Re: ORBS doesn't like me :(

[Peter van Dijk]

On Tue, Sep 05, 2000 at 11:08:15AM -0400, Andy Meuse wrote:
 
   I put the rcpthosts back and all mail (local and remote) was returned
 undeliverable. However, I had also removed the :allow from my tcp.smtp so I
 don't know if that is the problem.

Are the domains you *do* want to receive mail for in rcpthosts now?

Greetz, Peter.
-- 
[ircoper][EMAIL PROTECTED] - Peter van Dijk / Hardbeat
[student]Undernet:#groningen/wallops | IRCnet:/#alliance
[developer]_
[disbeliever - the world is backwards](__VuurWerk__(--*-

Re: ORBS doesn't like me :(

[Johan Almqvist]

On Tue, Sep 05, 2000 at 04:42:45PM +0200, Peter van Dijk wrote:
 On Tue, Sep 05, 2000 at 10:37:32AM -0400, Andy Meuse wrote:
  Hmmm. I removed my rcpthosts file.
 Put it back. Without an rcpthosts file, you are an open relay.

That's always surprised me. I would have assumed that qmail would
default to control/me if rcpthosts is empty. Any reason why it doesn't?

-Johan
-- 
Johan Almqvist

Re: ORBS doesn't like me :(

[Chris Johnson]

On Tue, Sep 05, 2000 at 11:08:15AM -0400, Andy Meuse wrote:
   I put the rcpthosts back and all mail (local and remote) was returned
 undeliverable. However, I had also removed the :allow from my tcp.smtp so I
 don't know if that is the problem.

It's not the problem.

What are the contents of rcpthosts? What is the reason that the mail was
returned as undeliverable? (Did it not occur to you to provide this information
in the first place?)

Chris

Re: ORBS doesn't like me :(

[Charles Cazabon]

Andy Meuse [EMAIL PROTECTED] wrote:
 
   I put the rcpthosts back and all mail (local and remote) was returned
 undeliverable. However, I had also removed the :allow from my tcp.smtp so I
 don't know if that is the problem.

You need the :allow to let other servers on the net connect to your machine
to deliver mail to you.

rcpthosts should exist and contain domains for which you will accept mail --
typically the contents of the files 'locals' plus virtualdomains and perhaps
a few others (backup MX, etc).

Charles
-- 
--
Charles Cazabon   [EMAIL PROTECTED]
QCC Communications Corporation   Saskatoon, SK
My opinions do not necessarily represent those of my employer.
--

Re: ORBS doesn't like me :(

[Kris Kelley]

 I put the rcpthosts back and all mail (local and remote) was returned
 undeliverable. However, I had also removed the :allow from my tcp.smtp so
I
 don't know if that is the problem.

The lack of a rcpthosts file was *definitely* the problem.  When you don't
have this file, qmail's default behavior is to accept and relay email for
the entire Internet.

Having an ":allow" line in your tcp.smtp file won't affect your server's
behavior one way or the other.  This line tells tcpserver to accept
connections from any remote host (besides those mentioned elsewhere in the
tcp.smtp file), but don't modify any environment variables during the
session (such as RELAYCLIENT).  This is tcpserver's default behavior anyway,
so the only reason to have this line is for the sake of readability.  Note
that allowing a host to make a connection is not the same thing as allowing
that host to use your server as a relay.

So, the short answer is, now that you have a rcpthosts file again, ORBS will
stop blacklisting you.

---Kris Kelley

Re: ORBS doesn't like me :(

[John Gonzalez/netMDC admin]

On Tue, 5 Sep 2000, Johan Almqvist wrote:

| On Tue, Sep 05, 2000 at 04:42:45PM +0200, Peter van Dijk wrote:
|  On Tue, Sep 05, 2000 at 10:37:32AM -0400, Andy Meuse wrote:
|   Hmmm. I removed my rcpthosts file.
|  Put it back. Without an rcpthosts file, you are an open relay.
| 
| That's always surprised me. I would have assumed that qmail would
| default to control/me if rcpthosts is empty. Any reason why it doesn't?

I think this has been requested by some list users in the past, but it's
not that big of a deal. All it does is secure someone from blowing their
foot off on accident. Of course, with the behavior as default, them being
put on antispam lists might be a worse "long term" effect, as it's hard to
get off some of the lists to a newbie.

Oh well, i guess it's punishment for not reading the docs properly

-- 
  ___   _  __   _  
__  /___ ___    /__  John Gonzalez/Net.Tech
__  __ \ __ \  __/_  __ `__ \/ __  /_  ___/ MDC Computers/netMDC!
_  / / / `__/ /_  / / / / / / /_/ / / /__ (505)439-0200/fax-437-3052
/_/ /_/\___/\__/ /_/ /_/ /_/\__,_/  \___/ http://www.netmdc.com
[-[system info]---]
  9:45am  up 117 days, 15:48,  4 users,  load average: 0.10, 0.18, 0.18

Re: ORBS doesn't like me :(

[James Raftery]

On Tue, Sep 05, 2000 at 11:08:15AM -0400, Andy Meuse wrote:
   I put the rcpthosts back and all mail (local and remote) was returned
 undeliverable. However, I had also removed the :allow from my tcp.smtp so I
 don't know if that is the problem.

Ack! You are mighty confused.

The 'allow' and 'deny' statements specify whether a tcp connection 
from a given IP address will be allowed or denied, not whether any 
messages passed over the connection will be accepted for delivery.

rcpthosts is a list of domains for which your mailer will accept mail.
You need to list the domains for which that machine should accept email.

Take a look at the relaying doccumentation at http://www.qmail.org/, if
you need to setup selective relaying (i.e. allowing certain people -
your users - to use your machine to send their email)


Regards,

james
-- 
James Raftery (JBR54)  -  Programmer Hostmaster  -  IE TLD Hostmaster
   IE Domain Registry  -  www.domainregistry.ie  -  (+353 1) 706 2375
  "Managing 4000 customer domains with BIND has been a lot like
   herding cats." - Mike Batchelor, on [EMAIL PROTECTED]

RE: ORBS doesn't like me :(

[Ihnen, David]

Because you more often want a mail server to relay your mail than not to
relay your mail.

Why bother setting up rcpthosts if your server is firewalled off from the
internet, being an internal mail handler/relay anyway?

David

 -Original Message-
 From: Johan Almqvist [mailto:[EMAIL PROTECTED]]
 Sent: Tuesday, September 05, 2000 8:51 AM
 To: Peter van Dijk; [EMAIL PROTECTED]
 Subject: Re: ORBS doesn't like me :(
 
 
 On Tue, Sep 05, 2000 at 04:42:45PM +0200, Peter van Dijk wrote:
  On Tue, Sep 05, 2000 at 10:37:32AM -0400, Andy Meuse wrote:
   Hmmm. I removed my rcpthosts file.
  Put it back. Without an rcpthosts file, you are an open relay.
 
 That's always surprised me. I would have assumed that qmail would
 default to control/me if rcpthosts is empty. Any reason why 
 it doesn't?
 
 -Johan
 -- 
 Johan Almqvist
 

Re: ORBS doesn't like me :(

[Ricardo Cerqueira]

On Tue, Sep 05, 2000 at 05:51:11PM +0200, Johan Almqvist wrote:
 On Tue, Sep 05, 2000 at 04:42:45PM +0200, Peter van Dijk wrote:
  On Tue, Sep 05, 2000 at 10:37:32AM -0400, Andy Meuse wrote:
   Hmmm. I removed my rcpthosts file.
  Put it back. Without an rcpthosts file, you are an open relay.
 

An empty rcpthosts != no rcpthosts at all.
empty means "i don't take mail for any domain". No files mean "i don't
limit any domain". And rcpthosts does not assume me if empty. man 8
qmail-smtpd for more info.

RC

-- 
+---
| Ricardo Cerqueira  
| PGP Key fingerprint  -  B7 05 13 CE 48 0A BF 1E  87 21 83 DB 28 DE 03 42 
| Novis  -  Engenharia ISP / Rede Técnica 
| Pç. Duque Saldanha, 1, 7º E / 1050-094 Lisboa / Portugal
| Tel: +351 21 010 - Fax: +351 21 011

 PGP signature

RE: ORBS doesn't like me :(

[Andy Meuse]

I created a rcpthosts file populated with my domain. Now the error I'm
recieving after sending remote mail is ..

"No transport provider was available for delivery to this recipient."

Local mail is unaffected.

thx for all the replies,
-Andy

Here is a recap of my situation. ORBS says I'm an open relay. I had no
rcpthosts file so there you go. When I create a rcpthosts file local users
can't send remote mail.


 You need the :allow to let other servers on the net connect
 to your machine
 to deliver mail to you.

I thought I read that the :allow is redundant since the default is to allow
any connection?

 rcpthosts should exist and contain domains for which you will
 accept mail --
 typically the contents of the files 'locals' plus
 virtualdomains and perhaps
 a few others (backup MX, etc).

 Charles

Re: ORBS doesn't like me :(

[David Dyer-Bennet]

Johan Almqvist [EMAIL PROTECTED] writes on 5 September 2000 at 17:51:11 +0200
  On Tue, Sep 05, 2000 at 04:42:45PM +0200, Peter van Dijk wrote:
   On Tue, Sep 05, 2000 at 10:37:32AM -0400, Andy Meuse wrote:
Hmmm. I removed my rcpthosts file.
   Put it back. Without an rcpthosts file, you are an open relay.
  
  That's always surprised me. I would have assumed that qmail would
  default to control/me if rcpthosts is empty. Any reason why it doesn't?

So far as I remember the discussion back some time ago, no, there
isn't any particular reason.  Dan just wrote it the other way. 
-- 
Photos: http://dd-b.lighthunters.net/ Minicon: http://www.mnstf.org/minicon
Bookworms: http://ouroboros.demesne.com/ SF: http://www.dd-b.net/dd-b 
David Dyer-Bennet / Welcome to the future! / [EMAIL PROTECTED]

RE: ORBS doesn't like me :(

[Vince Vielhaber]

On Tue, 5 Sep 2000, Andy Meuse wrote:

 this is my tcp.smtp file
 
 172.16.3.:allow,RELAYCLIENT=""
 4.17.165.:allow,RELAYCLIENT=""
 207.244.122.53.:allow,RELAYCLIENT=""
 :allow

How are you creating tcp.smtp.cdb ?

Vince.
-- 
==
Vince Vielhaber -- KA8CSHemail: [EMAIL PROTECTED]http://www.pop4.net
 128K ISDN from $22.00/mo - 56K Dialup from $16.00/mo at Pop4 Networking
Online Campground Directoryhttp://www.camping-usa.com
   Online Giftshop Superstorehttp://www.cloudninegifts.com
==

RE: ORBS doesn't like me :(

[Andy Meuse]

Vince, please don't try to telnet into my mail server anymore. :(

Sep  5 14:31:42 qmail in.telnetd[6995]: refused connect from 209.103.136.12

-Andy

 -Original Message-
 From: Vince Vielhaber [mailto:[EMAIL PROTECTED]]
 Sent: Tuesday, September 05, 2000 2:34 PM
 To: Andy Meuse
 Cc: Qmail (E-mail)
 Subject: RE: ORBS doesn't like me :(
 
 
 On Tue, 5 Sep 2000, Andy Meuse wrote:
 
  this is my tcp.smtp file
  
  172.16.3.:allow,RELAYCLIENT=""
  4.17.165.:allow,RELAYCLIENT=""
  207.244.122.53.:allow,RELAYCLIENT=""
  :allow
 
 How are you creating tcp.smtp.cdb ?
 
 Vince.
 -- 
 ==
 
 Vince Vielhaber -- KA8CSHemail: [EMAIL PROTECTED]
 http://www.pop4.net
  128K ISDN from $22.00/mo - 56K Dialup from $16.00/mo at Pop4 
 Networking
 Online Campground Directoryhttp://www.camping-usa.com
Online Giftshop Superstorehttp://www.cloudninegifts.com
 ==
 
 
 
 
 

RE: ORBS doesn't like me :(

[Vince Vielhaber]

On Tue, 5 Sep 2000, Andy Meuse wrote:

 Vince, please don't try to telnet into my mail server anymore. :(

I was going to try sending you mail directly to it with telnet, I
missed the 25 at the end command line and ^D out of it.  Believe me,
it wasn't intentional.

Vince.

 
 Sep  5 14:31:42 qmail in.telnetd[6995]: refused connect from 209.103.136.12
 
 -Andy
 
  -Original Message-
  From: Vince Vielhaber [mailto:[EMAIL PROTECTED]]
  Sent: Tuesday, September 05, 2000 2:34 PM
  To: Andy Meuse
  Cc: Qmail (E-mail)
  Subject: RE: ORBS doesn't like me :(
  
  
  On Tue, 5 Sep 2000, Andy Meuse wrote:
  
   this is my tcp.smtp file
   
   172.16.3.:allow,RELAYCLIENT=""
   4.17.165.:allow,RELAYCLIENT=""
   207.244.122.53.:allow,RELAYCLIENT=""
   :allow
  
  How are you creating tcp.smtp.cdb ?
  
  Vince.
  -- 
  ==
  
  Vince Vielhaber -- KA8CSHemail: [EMAIL PROTECTED]
  http://www.pop4.net
   128K ISDN from $22.00/mo - 56K Dialup from $16.00/mo at Pop4 
  Networking
  Online Campground Directoryhttp://www.camping-usa.com
 Online Giftshop Superstorehttp://www.cloudninegifts.com
  ==
  
  
  
  
  
 

-- 
==
Vince Vielhaber -- KA8CSHemail: [EMAIL PROTECTED]http://www.pop4.net
 128K ISDN from $22.00/mo - 56K Dialup from $16.00/mo at Pop4 Networking
Online Campground Directoryhttp://www.camping-usa.com
   Online Giftshop Superstorehttp://www.cloudninegifts.com
==

Re: ORBS doesn't like me :(

[Aaron L. Meehan]

Quoting Andy Meuse ([EMAIL PROTECTED]):
 I created a rcpthosts file populated with my domain. Now the error I'm
 recieving after sending remote mail is ..
 
 "No transport provider was available for delivery to this recipient."

Heh.. that doesn't say anything.  That's an Outlookism that it spits
out when it really does not know what is going on (like all of the
time).  "No transport provider .." bah!  

If you could provide the actual error message that qmail-smtpd
spits out, and that reasonable mailers will show you, that certainly
would help a lot.

In any case, the problem is (almost) certainly that RELAYCLIENT is not
set for the connection, hence qmail does not allow you to relay to any
domain not in rcpthosts.

Aaron

RE: ORBS doesn't like me :(

[Andy Meuse]

I reconfigured tcprules and now everything is fine. I think I had edited the
tcp.smtp and it never occured to me to rerun tcprules, that or the "-c 50"
in the tcpserver command line below was effin it up.

 exec /usr/local/bin/softlimit -m 400 \
 /usr/local/bin/tcpserver -v -x/etc/tcp.smtp.cdb -c 50 -u503 -g502 0 smtp \
 /var/qmail/bin/qmail-smtpd 21 | /var/qmail/bin/splogger smtpd 3 

Anyway, thanks for the pointers everyone.

-=Andy

 -Original Message-
 From: Vince Vielhaber [mailto:[EMAIL PROTECTED]]
 Sent: Tuesday, September 05, 2000 3:20 PM
 To: Andy Meuse
 Cc: 'Qmail (E-mail)'
 Subject: RE: ORBS doesn't like me :(


 On Tue, 5 Sep 2000, Andy Meuse wrote:

  Vince, please don't try to telnet into my mail server anymore. :(

 I was going to try sending you mail directly to it with telnet, I
 missed the 25 at the end command line and ^D out of it.  Believe me,
 it wasn't intentional.

 Vince.

 
  Sep  5 14:31:42 qmail in.telnetd[6995]: refused connect
 from 209.103.136.12
 
  -Andy
 
   -Original Message-
   From: Vince Vielhaber [mailto:[EMAIL PROTECTED]]
   Sent: Tuesday, September 05, 2000 2:34 PM
   To: Andy Meuse
   Cc: Qmail (E-mail)
   Subject: RE: ORBS doesn't like me :(
  
  
   On Tue, 5 Sep 2000, Andy Meuse wrote:
  
this is my tcp.smtp file
   
172.16.3.:allow,RELAYCLIENT=""
4.17.165.:allow,RELAYCLIENT=""
207.244.122.53.:allow,RELAYCLIENT=""
:allow
  
   How are you creating tcp.smtp.cdb ?
  
   Vince.
   --
   ==
   
   Vince Vielhaber -- KA8CSHemail: [EMAIL PROTECTED]
   http://www.pop4.net
128K ISDN from $22.00/mo - 56K Dialup from $16.00/mo at Pop4
   Networking
   Online Campground Directoryhttp://www.camping-usa.com
  Online Giftshop Superstorehttp://www.cloudninegifts.com
   ==
   
  
  
  
  
 

 --
 ==
 
 Vince Vielhaber -- KA8CSHemail: [EMAIL PROTECTED]
http://www.pop4.net
 128K ISDN from $22.00/mo - 56K Dialup from $16.00/mo at Pop4 Networking
Online Campground Directoryhttp://www.camping-usa.com
   Online Giftshop Superstorehttp://www.cloudninegifts.com
==

Re: ORBS doesn't like me :(

[Peter van Dijk]

On Tue, Sep 05, 2000 at 03:19:34PM -0400, Vince Vielhaber wrote:
 On Tue, 5 Sep 2000, Andy Meuse wrote:
 
  Vince, please don't try to telnet into my mail server anymore. :(
 
 I was going to try sending you mail directly to it with telnet, I
 missed the 25 at the end command line and ^D out of it.  Believe me,
 it wasn't intentional.

I believe you. That happens to me all the time :)

Greetz, Peter
-- 
dataloss networks

Re: ORBS doesn't like me :(

[Chris K. Young]

Quoted from Peter van Dijk:
 On Tue, Sep 05, 2000 at 03:19:34PM -0400, Vince Vielhaber wrote:
  I was going to try sending you mail directly to it with telnet, I
  missed the 25 at the end command line and ^D out of it.  Believe me,
  it wasn't intentional.
 
 I believe you. That happens to me all the time :)

That's why you use tcpclient: it doesn't have a default port. :-)

---Chris K.
-- 
 Chris, the Young One |_ but what's a dropped message between friends? 
  Auckland, New Zealand |_ this is UDP, not TCP after all ;) ---John H. 
http://cloud9.hedgee.com/ |_ Robinson, IV  

Re: ORBS doesn't like me :(

[James Raftery]

On Tue, Sep 05, 2000 at 08:44:22AM -0700, Ihnen, David wrote:
 Why bother setting up rcpthosts if your server is firewalled off from the
 internet, being an internal mail handler/relay anyway?

There are cases where people intentionally want to create open relays,
and there should be a mechanism to allow that.

But AFAIC the current method makes it too easy to shoot oneself in 
the foot. Too often people take the premise that "rcpthosts lists the
domains to accept mail for" (to paraphrase) and use that to make the
conclusion that "no rcpthosts means accepting mail for no domains".
While it is incorrect, it's not an entirely off-the-wall thought
progression.


Regards,

james
-- 
James Raftery (JBR54)  -  Programmer Hostmaster  -  IE TLD Hostmaster
   IE Domain Registry  -  www.domainregistry.ie  -  (+353 1) 706 2375
  "Managing 4000 customer domains with BIND has been a lot like
   herding cats." - Mike Batchelor, on [EMAIL PROTECTED]

RE: ORBS doesn't like me :(

[John Gonzalez/netMDC admin]

On Tue, 5 Sep 2000, Andy Meuse wrote:

| Here is a recap of my situation. ORBS says I'm an open relay. I had no
| rcpthosts file so there you go. When I create a rcpthosts file local users
| can't send remote mail.

You need to read LWQ, and specifically, the section on selective relaying.

http://web.infoave.net/~dsill/lwq.html#relaying

http://www.palomine.net/qmail/relaying.html

http://www.palomine.net/qmail/selectiverelay.html

|   I thought I read that the :allow is redundant since the default is to allow
| any connection?

It is redundant. It's put in there to be syntaxtically correct in case the
default behavior changes in the future.

-- 
  ___   _  __   _  
__  /___ ___    /__  John Gonzalez/Net.Tech
__  __ \ __ \  __/_  __ `__ \/ __  /_  ___/ MDC Computers/netMDC!
_  / / / `__/ /_  / / / / / / /_/ / / /__ (505)439-0200/fax-437-3052
/_/ /_/\___/\__/ /_/ /_/ /_/\__,_/  \___/ http://www.netmdc.com
[-[system info]---]
 10:50am  up 117 days, 16:53,  4 users,  load average: 0.03, 0.16, 0.16

Re: ORBS doesn't like me :(

[Charles Cazabon]

Andy Meuse [EMAIL PROTECTED] wrote:
 I created a rcpthosts file populated with my domain. Now the error I'm
 recieving after sending remote mail is ..
 
 "No transport provider was available for delivery to this recipient."
 
 Local mail is unaffected.

I'm not familiar with this error message.  What was the recipient address, what
is your local domain, what is the contents of rcpthosts and locals, ...
 
  You need the :allow to let other servers on the net connect to your machine
  to deliver mail to you.
 
   I thought I read that the :allow is redundant since the default is to
   allow any connection?

Yes, my bad.  It is the default.  I just like being explicit in tcp rules files.

Charles
-- 
--
Charles Cazabon   [EMAIL PROTECTED]
QCC Communications Corporation   Saskatoon, SK
My opinions do not necessarily represent those of my employer.
--

RE: ORBS doesn't like me :(

[Andy Meuse]

Yep, I have the locals set up with my domain(s).

Since I have been an open relay, and then when I create a rcpthosts file it
seems SMTP rejects me, I suppose my tcprules or tcpserver or both are
configured incorrectly. Again here is the error message.

"No transport provider was available for delivery to this recipient."

I was sending local to hotmail account, and also tried other external
addresses. (Yahoo, Juno etc.)

this is my tcp.smtp file

172.16.3.:allow,RELAYCLIENT=""
4.17.165.:allow,RELAYCLIENT=""
207.244.122.53.:allow,RELAYCLIENT=""
:allow

The mail server is on the 4.17.165.0 network
Users are on the 172.16.3.0 network

Here are the commands I run qmail from in rc.local

# starts Qmail basics
/bin/csh -cf '/var/qmail/rc ' 

# Starts pop3 server from tcpserver
/usr/local/bin/tcpserver -v -R 0 pop3 /var/qmail/bin/qmail-popup
qmail.buyerzone.com \
/bin/checkpassword /var/qmail/bin/qmail-pop3d Maildir 21 |
/var/qmail/bin/splogger pop3d 

#This modifies the qmail-queue for qmail virus scan
#QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl" export QMAILQUEUE

# Tcpserver with relaying rules found in /etc/tcp.smtp
exec /usr/local/bin/softlimit -m 400 \
/usr/local/bin/tcpserver -v -x/etc/tcp.smtp.cdb -c 50 -u503 -g502 0 smtp \
/var/qmail/bin/qmail-smtpd 21 | /var/qmail/bin/splogger smtpd 3 

Hmmm. Should the -c 50 be right after tcpserver?

rcpthosts  locals read...

buyerzone.com
buyerszone.com
mail.buyerzone.com
mail.buyerszone.com
qmail.buyerzone.com
qmail.buyerszone.com

Thanks again,
Andy

And yes I've read the FAQ and LWQ so much my eyes hurt. I did have problems
getting qmail to run using daemontools (RCDIR config I think) so I inserted
the startup commands into rc.local.


 Andy Meuse schrieb:
 do you have your domain in ~/control/locals too?

 you will need that for qmail to realize that mails for your domain
 should be delivered locally and *not* passed on elsewhere.

 wolfgang

 
  I created a rcpthosts file populated with my domain. Now
 the error I'm
  recieving after sending remote mail is ..
 
  "No transport provider was available for delivery to this
 recipient."
 
  Local mail is unaffected.
 
  thx for all the replies,
  -Andy

Re: ORBs problem and Qmail (@@@ related)

[Greg Moeller]

 On 17 May 00, at 4:40, Greg Moeller wrote:
 
  # cat alias/.qmail-tnet-default
  | fastforward -d -p /etc/aliases.cdb
  | forward "$DEFAULT"
 
 This line does it; what it "$DEFAULT" contains 
 "[EMAIL PROTECTED]"?
 
 Try to do
 |forward "$DEFAULT"@`head -1 /var/qmail/control/locals`
 (where instead of head, you'd fill the machine name in)
 
Just to thank Peter and let everyone know this worked perfectly and we're off 
ORBS  (and still delivering Email correctly  :)

Greg

Re: ORBs problem and Qmail (@@@ related)

[Greg Moeller]

qweqweqwe
asdasdasdasd
zxczxczxc

Re: ORBs problem and Qmail (@@@ related)

[Greg Moeller]

 On Tue, May 16, 2000 at 12:00:23PM -0500, Greg Moeller wrote:
  Hi there.
  Our mail server's been listed in ORBs because of a multiple @ related hole.
  Is this common for a Qmail system or is something odd about our setup?
 
 There must be something odd. What does
 /var/qmail/alias/.qmail-snet-default containt?
# cat alias/.qmail-tnet-default
| fastforward -d -p /etc/aliases.cdb
| forward "$DEFAULT"
 
 

 Please don't do that. You can trust the people here, and giving real info
 will allow us to help you quicker.
Here's the full poop from ORBS:
154.11.89.180 : 2000-04-21 21:28:00 UTC

From [EMAIL PROTECTED] Sat Apr 22 09:27:47 2000
Received: from toolbox.total.net (toolbox.total.net [154.11.89.179])
by mail2.manawatu.net.nz (8.9.3/8.9.3) with SMTP id FAA05197
for [EMAIL PROTECTED]; Sat, 22 Apr 2000 05:59:36 +1200
X-Remote-IP: 154.11.89.179
Date: Sat, 22 Apr 2000 05:59:36 +1200
Received: (qmail 15431 invoked by alias); 21 Apr 2000 13:59:31 -
Delivered-To: [EMAIL PROTECTED]@pop.total.net
Received: (qmail 15413 invoked from network); 21 Apr 2000 13:59:31 -
Received: from unknown (HELO relaytest.orbs.vuurwerk.nl) (194.178.232.55)
by pop.total.net with SMTP; 21 Apr 2000 13:59:31 -
To: [EMAIL PROTECTED]@pop.total.net
From: [EMAIL PROTECTED]
X-Token: ckpfbvvorqbdqnlp
X-Envelope-Sender: [EMAIL PROTECTED]
X-Envelope-Recipient: [EMAIL PROTECTED]@pop.total.net
Message-Id: [EMAIL PROTECTED]
Subject: ORBS Relay Test - 154.11.89.180

 
 [snip]
  
  We're using the fastforward alias system.(version fastforward-0.51)
 
 Hmmm, could you give us some details of your configuration then?
 
It's Qmail 1.03, fast forward 0.51.
It's handling about 60,000 local mailboxes, and doing forwards for about 700 
virtual domains.
(this is put into the virtual domain file automatically by a script which 
scans a single file with every map on the system.)
# head -5 control/virtualdomains
258wallace.com:valias
4200st-laurent.com:valias
# cat valias/.qmail-default
| /var/qmail/bin/fastforward -d /etc/aliases.cdb

Hope that's enough for now..

Greg

Re: ORBs problem and Qmail (@@@ related)

[Petr Novotny]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 17 May 00, at 4:40, Greg Moeller wrote:

 # cat alias/.qmail-tnet-default
 | fastforward -d -p /etc/aliases.cdb
 | forward "$DEFAULT"

This line does it; what it "$DEFAULT" contains 
"[EMAIL PROTECTED]"?

Try to do
|forward "$DEFAULT"@`head -1 /var/qmail/control/locals`
(where instead of head, you'd fill the machine name in)


-BEGIN PGP SIGNATURE-
Version: PGP 6.0.2 -- QDPGP 2.60 
Comment: http://community.wow.net/grt/qdpgp.html

iQA/AwUBOSJdx1MwP8g7qbw/EQJaMQCgq70C4qZeffjiFFqzZj1iZ18+mKAAoM4/
j7QNQT0oEvsFRzVPzbfaSq2U
=20Z8
-END PGP SIGNATURE-
--
Petr Novotny, ANTEK CS
[EMAIL PROTECTED]
http://www.antek.cz
PGP key ID: 0x3BA9BC3F
-- Don't you know there ain't no devil there's just God when he's drunk.
 [Tom Waits]

Re: ORBs problem and Qmail (@@@ related)

[Peter van Dijk]

On Tue, May 16, 2000 at 12:00:23PM -0500, Greg Moeller wrote:
 Hi there.
 Our mail server's been listed in ORBs because of a multiple @ related hole.
 Is this common for a Qmail system or is something odd about our setup?

There must be something odd. What does
/var/qmail/alias/.qmail-snet-default containt?


 Here's the header from ORBS, with enough changed so that any spammers watching 
 won't get ideas.  :)

Please don't do that. You can trust the people here, and giving real info
will allow us to help you quicker.

[snip]
 
 We're using the fastforward alias system.(version fastforward-0.51)

Hmmm, could you give us some details of your configuration then?

And please tell us real hostnames (post real headers, for example), so we
can see for ourselves.

Greetz, Peter.
-- 
[EMAIL PROTECTED] - Peter van Dijk [student:developer:madly in love]

Re: ORBS prevention

[Johan Almqvist]

On Mon, May 08, 2000 at 11:34:27AM +0900, Kristina wrote:
 Now that I want to use my qmail-server in real life, there are many 
 other issues involved--like preventing my qmail server from being put on 
 the ORBS database. I have referred to the archives, however, there is much
 heated discussion without much pratical detail.

A standard qmail install will never be in the ORBS database. qmail is
relay-safe out of the box.

:-

-Johan
-- 
Johan Almqvist

Re: ORBS prevention

[Paul Schinder]

At 11:34 AM +0900 5/8/00, Kristina wrote:
I am at the point of setting up my qmail-server as the mail-hub for my
organization.  I have only used qmail for testing purposes so far and I am not
experienced with anti-spam techniques.

Now that I want to use my qmail-server in real life, there are many
other issues involved--like preventing my qmail server from being put on
the ORBS database. I have referred to the archives, however, there is much
heated discussion without much pratical detail.

Pleae let me know what I need to do for ORBS prevention and any other
configuration details necessary for a secure, anti-spam mail-hub.

Absolutely nothing.  qmail as installed won't relay for third 
parties, and therefore won't get in ORBS.

It's what you *shouldn't* do that's important.  Under no 
circumstances should you remove the rcpthosts file.  Read Dave Sill's 
Life with qmail and some of the other documents that you must have 
run across if you've read all the "heated discussion" to learn how to 
properly set up relaying with qmail.



Thankyou in advance,
Kristina

-- 
--
Paul J. Schinder
NASA Goddard Space Flight Center
Code 693
[EMAIL PROTECTED]

Re: ORBS database

[Frank Tegtmeyer]

 I have tcpserver of course. What's wrong here? Thanks.

Do you have a rcpthosts file?  Is ORBS possibly testing from a
10.x.x.x address?

Regards, Frank

Re: ORBS database

[Frank Tegtmeyer]

 Is ORBS possibly testing from a
 10.x.x.x address?

:) was missing :)

Re: ORBS not recommended

[Jon Rust]

At 9:20 PM -0500 2/6/00, Len Budney wrote:
[EMAIL PROTECTED] wrote:

 I would strongly recommend *against* using ORBS, because it blocks a
 lot of legitimate mail.

Agreed. (I cut a similar caution for space reasons; should've just omitted
mention of ORBS.)

Fascism is seductive to techies--in particular, the ORBS fellow does
seem to have a bit of a god complex. http://www.orbs.org/bugtraq.html
gives a good example.

Len.


I use maildrop and a hacked version of rblcheck to simply add a 
header to suspected spam. If the last server before ours matches RBL, 
rblcheck's return code is incremented by 1. If it matches at 
RBL.maps.vix.com, incremented by 2. DUL.maps.vix.com, by 4. 
relays.mail-abuse.org, by 8. Then I throw the return value into the 
header. The results have been informative.

 Delivered-To: [EMAIL PROTECTED]
 Date: Mon, 7 Feb 2000 03:58:15 GMT
 From: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Subject: 2 FREE GAMBLING CRUISE TICKETS  L@@K
 Status:  U
 X-Spam: based on relay(1) 199.171.54.114

So in this case the spam was spotted by only ORBS. In the next 
example, ORBS and relays.mail-abuse caught it:

 Delivered-To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Bcc: snipped for brevity
 From: [EMAIL PROTECTED]
 Subject: Earn Big $$$ From Home!
 Status:  U
 X-Spam: based on relay(9) 205.168.240.10

And one that surely isn't spam:

 Delivered-To: [EMAIL PROTECTED]
 Date: Wed, 2 Feb 2000 17:02:31 -0500 (EST)
 From: [EMAIL PROTECTED]
 Subject: MODIFY DOMAIN somedomain.com
 Reply-To: [EMAIL PROTECTED]
 X-Spam: based on relay(1) 198.41.0.91
 Status:  U

ORBS catches a lot of spam, but they also hit a lot of big sites. 
Like Network Solutions in the above example. PacBell Internet. Ebay. 
Discover Brokerage. The thing is, all these sites DO HAVE open 
relays. Just because they're big, they should be able to get away 
with it? I've let all of them know (I'm sure they already knew), but 
haven't seen any of them change it.

Anyway, the plan is to eventually let users decide for themselves how 
much filtering they want, or if they're happy with just a header 
being added. If they want to chance lost mail and use ORBS, that's 
their choice.

jon