Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Spam IT

Long-Dead ORDB Begins Returning False Positives 265

Chapter80 writes "At noon today (Eastern Standard Time), the long dead ORDB spam identification system began returning false positives as a way to get sleeping users to remove the ORDB query from their spam filters. The net effect: all mail is blocked on servers still configured to use the ORDB service, which was taken out of commission in December of 2006. So if you're not getting any mail, check your spam filter configuration!"
This discussion has been archived. No new comments can be posted.

Long-Dead ORDB Begins Returning False Positives

Comments Filter:
  • Nope. (Score:5, Funny)

    by TheLazySci-FiAuthor ( 1089561 ) <thelazyscifiauthor@gmail.com> on Tuesday March 25, 2008 @05:49PM (#22863948) Homepage Journal
    No emails, but it's not the ORDB system. I just don't have any friends.
  • No luck (Score:4, Funny)

    by smackenzie ( 912024 ) on Tuesday March 25, 2008 @05:55PM (#22863990)
    I tried to sign up with Slashdot to comment on this post, but it told me that I would need to validate a confirmation email.

    I haven't received my confirmation email yet... seriously, how long does this take? Anyone? Is Slashdot broken? Do people post comments on Slashdot?
  • by mrcaseyj ( 902945 ) on Tuesday March 25, 2008 @05:57PM (#22864006)
    Intentionally causing large numbers of emails to be lost is a risky move indeed.
    • by ZenDragon ( 1205104 ) on Tuesday March 25, 2008 @06:04PM (#22864056)
      They arent being lost, simply being flagged as spam by the database. People will have to go into their respectave administration interface and "release" the mail and/or mark it as safe. Kind of a pain in the ass, but if your depending on a spam database that is over a year old, its not likley doing much for you anyway.
      • by mrcaseyj ( 902945 ) on Tuesday March 25, 2008 @06:19PM (#22864180)
        It's one thing for a spam filter to make a mistake or even be careless and put a message into the spam folder, but quite another for a filter to intentionally cause known good messages to be absent from a users inbox. Why don't they just start reporting all messages as good, or just not give any rating to any message? This might be especially bad in situations where ORDB is only given partial weighting in the spam categorization process so that many messages still get through, thus making it less likely that the errors will be noticed quickly because there will not be a total block on email. To do what they're doing might be considered wreckless. I don't know much about the law in a situation like this but I'd be worried about liability even with a good disclaimer in the user agreement.
        • email is like Doritos.

          The spam filter can eat all it wants. They'll make more.

        • by timmarhy ( 659436 ) on Tuesday March 25, 2008 @06:38PM (#22864352)
          the only person to blame is the careless mail admin who leaves ORDB in. ORDB is a free service, they have every right to take it down, hell i'm pretty amazed they left it up for a year and gave all the warnings they did.
          • by MrNaz ( 730548 ) on Tuesday March 25, 2008 @08:10PM (#22865074) Homepage
            As much as we can rail against stupid mail admins, I think it would not be remiss of us to remember that the ultimate sufferers are end users who probably have no idea what their mail server administrator is doing. In other words, this hurts the people who *rely* on mail administrators, not the mail administrators. For that reason, I think ORDB is doing the wrong thing. This is yet another reason why privately owned spam registrars like ORDB are a bad idea; they just do not understand the either the gravity of what they are doing, nor do they have the responsibility to take it seriously. If you are doing something on such a large scale, it is inevitable that there will always be stragglers. Don't get all indignant about how "dumb mail admins" should know better unless you know that all your utility providers abide by the latest best industry practices in their respective fields.

            On a side note, given that this move by ORDB specifically targets people other than those who they want to change the behaviour of in an attempt to get those innocent bystanders to affect change upon the real people they want to affect, this actually meets the FBI's definition of terrorism.
            • Comment removed (Score:4, Insightful)

              by account_deleted ( 4530225 ) on Tuesday March 25, 2008 @08:28PM (#22865168)
              Comment removed based on user account deletion
            • your logic is all messed up. on the one hand you say don't blame the admins, and on the other your saying they shouldn't be using a privately owned spam register like ORDB.

              which is it?

              it's about personal responsibility, ORDB was free, no one supported it in it's time of need so now it's shutting up shop.

            • Re: (Score:2, Insightful)

              by Anonymous Coward
              I rarely have the desire to use the TLA OMG, but wow. One of my hats is 'mail admin', admittedly for a small but active domain. If the mail goes out for a couple of hours, I get a phone call, or I get paged, and I am expected to be fixing it in less than an hour.

              First, I'm not aware of any publicly owned spam registrars. Care to enlighten me?

              Second, how is a publicly owned (e.g. stock exchange, or do you mean run by the government of a country chosen at random (or heaven forefend the UN)) service less li
        • by interiot ( 50685 ) on Tuesday March 25, 2008 @06:47PM (#22864462) Homepage

          Why don't they just start reporting all messages as good, or just not give any rating to any message?

          That's precisely what they did [readlist.com] for the last 15 months (a pretty reasonable amount of time):

          DNS and the mailing lists will vanish today, December 18, 2006.

          I don't know... do they still own a machine that responds to DNS requests, and are therefore paying for bandwidth? Probably not.

          Do they want to sell the domain to someone, who wouldn't want to get hit with a bandwidth bill as soon as they throw some servers up? More likely.

        • by brassman ( 112558 ) on Tuesday March 25, 2008 @08:54PM (#22865282) Homepage
          What you're missing is that if ORDB flags all mail as "good," then clueless soi-disant 'admins' will continue to hammer the site with their useless queries, up to thousands of them per second. Blocking world+dog is a desperation move -- which has been used a few times in the past by other RBL administrators -- just to make people stop doing that.


          When someone just plain will not check back to see if your free service is still working (and free), how else do you get their attention?

      • by iangoldby ( 552781 ) on Tuesday March 25, 2008 @06:24PM (#22864238) Homepage
        When I had a run-in with my old ISP a few years ago, the issue was that a) they did not advertise anywhere that they weren't accepting mail from blacklisted peers, and b) mail from blacklisted peers was simply discarded. There was no 'administration interface' to '"release" the mail and/or mark it as safe.' There was in fact no way for the recipient (i.e. me) to ever know that a mail addressed to them that had not been delivered had even been sent.

        That said, the approach of ORDB does seem to be the right way to stop administrators from using it. If you don't force the issue by stopping all mail, then random non-spam emails will continue to be blocked indefinitely. Short-term pain for long-term gain...
        • by Naurgrim ( 516378 ) <naurgrim@karn.org> on Tuesday March 25, 2008 @07:13PM (#22864668) Homepage

          Concur, wholeheartedly.

          I put a good deal of effort into getting spamassassin configured to classify spam into imap folders for my users, and giving them tools for whitelisting, etc. on an individual basis. One man's spam is another man's ham, after all.

          I could not in good faith arbitrarily delete mail based on automatic filtering. I would rather run completely unfiltered than make that decision for somebody, and for a long time I resisted the idea of filtering server-side. Bottom line was that my customers demanded it, so I had to come up with a system that met their requirements and mine.

      • by arkhan_jg ( 618674 ) on Tuesday March 25, 2008 @06:28PM (#22864278)
        ORDB was a realtime blacklist. I.E. it identified the IP addresses of open relays. Most people use RBL's like zen and njabl to block connections from 'bad' SMTP servers at HELO, they're much more effective at that stage than later as part of bayesian spam filters - context filtering is expensive and unrelaible with the volume of spam these days. Blocking open relays and dynamic ranges* at HELO is often the only practical way to get a handle on 99% spam loads.

        Configured that way, there's no email to release, as the server was not allowed to connect in the fiirst place - in effect, ORDB would have caused an admin unaware that they had shut down to have his server block all inbound email at the connection level. Given the amount of sample configs about that still include them, that's not impossible to imagine.

        Effective way of getting people to stop querying their servers, but kinda dickish.

        *Yes, I know dynamic ranges sometimes host legit personal mail servers. Unfortunately, for every legit user there are hundreds of spam zombies on those dynamic IPs, often dumping dozens of spam at a time, often hitting over and over again until they get past the greylist timeout. I'm watching my log now, and I just blocked 50 odd connection attempts from one 1 pretending to be 50 different email domains. In the time it's taken me to write this footnote, the dynamic range IPs blacklists have blocked a few hundred emails.
      • by rekoil ( 168689 )
        Depending on the way the DB is being used - some mail servers are configured to 554-reject DNSBL matches. If so, they're going to be rejecting *everything* that comes in until the check is removed from the server.

        If the server is just using it for a scoring system a la spamassassin, you're probably right.
    • by neonmonk ( 467567 ) on Tuesday March 25, 2008 @06:09PM (#22864090)
      Don't worry, they're completely covered, they did- of course - send an email.

      Wait...
    • Re: (Score:3, Insightful)

      by Sentry21 ( 8183 )
      I think the worst part of it is that the systems that are rejecting mail (because they're still configured to use ORDB) are the ones that are the least-maintained, and quite possibly completely forgotten about - and therefore are least likely to be noticed quickly or fixed intentionally.

      That said, if you're that crappy of a sysadmin, you deserve a wake-up call. It's just too bad that other people have to suffer for you to learn to do your job properly.
    • by SeaFox ( 739806 )

      Intentionally causing large numbers of emails to be lost is a risky move indeed.

      Yeah, someone might sue them for missing important emails from the poor service ORDB is offering.
      Oh, wait...
    • When you discontinue services people rely on, things break. If you're providing that service for free, it's people's own fault.

      If they had just let the domain expire, it would have caused spam to just silently get through until somebody malevolent registered the domain and started configuring it to block select targets . . . for a modest fee.

      At least this way, people will _notice_ that the service is discontinued. Failing loudly is almost always better than failing silently.

      • by monsted ( 6709 ) on Wednesday March 26, 2008 @04:05AM (#22867206)
        Nope, if they just let the domain expire, it would have caused the .org authoritative servers to die. It's been done already, shortly after they first shut down the service, causing them to open it a again, responding that everything is ham.

        If the ordb.org zone goes away, every halfwit mail admin who uses ordb.org will be hammering the .org servers instead. This is why it was first reenabled and now shut down the way it is.
  • Why DNS-RBLs suck (Score:4, Informative)

    by Anonymous Coward on Tuesday March 25, 2008 @06:02PM (#22864038)
    • by whoever57 ( 658626 ) on Tuesday March 25, 2008 @06:37PM (#22864346) Journal

      I'll take the DNS-RBLs out of my email configuration when there is a realistic alternative. Clicking the "Conclusions" link on the referenced page, the author provides no solutions, other than throwing pies at Bill Gates. Not very credible.
      • Er, he mentioned in his other discussions on mail filtering better ways to do it (i.e. those not on the "shame" list):

        http://acme.com/mail_filtering/background_frameset.html [acme.com]
      • Buy or use a decent filter? Use RBLs as a scoring mechanism?

        RBLs are horribly broke & you should never use them as a sole method of determining if an email is spam.
        • Re: (Score:3, Informative)

          RBLs are horribly broke & you should never use them as a sole method of determining if an email is spam.

          Then, why do I have an extremely low reported false-positive rate from them? Maybe it's got something to do with which ones I choose to use, how I choose to use them, the mix of mail people at my organisation expect to receive, and the mitigating whitelistings I've stuck in place over the years. There is no "zero false-positive anti-spam magic bullet", but for my specific values of "workable" (i.e.

  • Nice (Score:4, Insightful)

    by topham ( 32406 ) on Tuesday March 25, 2008 @06:09PM (#22864088) Homepage

    Dealing with Email and Spam issues can be enough of a pain in the ass without the added hassle of this shit.

    It isn't that the recipient complains they aren't getting email, it's when the sender (my customer) complains to me that their mail isn't making it to the recipient and blames me when it's the spam filters at the other end causing the problem. And now this?
    Nice.

    • Re:Nice (Score:5, Insightful)

      by TubeSteak ( 669689 ) on Tuesday March 25, 2008 @06:23PM (#22864230) Journal
      It's like hotlinking an image off someone's website after you've been told not to. Yes, the site owner is a dick for replacing the pic with goatse, but it's still your fault for linking to it in the first place.

      This will cause some confusion at first, but if it hit /. word will get out soon enough.
      I just hope no one's spam filter defaults to automatic-deletion.
      • How about if you were told you could hotlink the image, and thus did. Later, the site posts up a notice somewhere saying it is no longer allowed, but as you haven't visited their main page you weren't aware of the policy change.

        More like what may be happening here to a bunch of those who use this RBL, I know that I had to check my mail config after seeing the /. story to make sure I wasn't one of them...
    • No kidding. (Score:5, Funny)

      by raehl ( 609729 ) <raehl311.yahoo@com> on Tuesday March 25, 2008 @06:57PM (#22864532) Homepage
      If my spam filter service did this to me, I would never us them again!
    • It isn't that the recipient complains they aren't getting email, it's when the sender (my customer) complains to me that their mail isn't making it to the recipient and blames me when it's the spam filters at the other end causing the problem. And now this?

      If you've been pestering their DNS servers for the last 15 months because you've been too lazy to remove those entries and can't be bothered to even remotely follow technical newssites, then your customers are placing the blame right where it belongs. Honestly, you're trusting the integrity of your email system to a third party and can't even be bothered to check up on them now and again? Like once a year or so? No, this is entirely your problem to own.

  • Why don't they just close the server so it no longer accepts connections? Are they doing this to stop the server currently at that location from being hammered with requests?
    • by travisd ( 35242 ) <travisd.tubas@net> on Tuesday March 25, 2008 @06:37PM (#22864344) Homepage
      Because the requests will still come. And even without a response, the request will consume bandwidth that someone is paying for, and consuming an IP address that someone would like to re-use.
      • by ashridah ( 72567 ) on Tuesday March 25, 2008 @06:47PM (#22864468)
        While that's accurate to a point, Seems to me that doing this at the DNS level (deleting a DNS record, or pointing it to 127.0.0.1 and giving it a TTL of a few decades) would do the trick better than BLOCKING EMAIL.

        My bet is this is going to really REALLY negatively affect all of those mailservers that have been setup, for which there is *no* administrator. You know. the ones setup for smaller companies who have no inhouse admin, who hired a consultant, but wouldn't pay for ongoing maintenance (either due to tightness or actual lack of funds, etc). The response time here, and time to resolution is likely to be high to non-existent.

        All in all, this is a pathetic (understandable, mind you) move, and reeks of inconsideration.

        • by adri ( 173121 )
          Mail servers with ORDB configured will delay accepting mail until it gets a reply from ORDB. If it can't reach ORDB (ie, it doesn't give a response) then it may delay -all- incoming mail. ORDB would have to return "OK" to all requests to keep peoples' mail happy.

          Dropping an "OK" rule means mail flows fine for ORDB-poking mail servers, but requires the ORDB guys to keep doing it; there's no motivation for the site administrators to remove it.

          Dropping a "SPAM" rule means admins have to figure out whats busted
          • Re: (Score:3, Funny)

            by ashridah ( 72567 )
            Uh, so it's not configured to make the distinction between "OK" / "Not okay", and "i can't talk to it right now because it's returning a bogus result"?

            127.0.0.1 is probably going to turn out a quick response consisting of "who are you, and why are you touching me in my private place"
      • Re: (Score:3, Informative)

        by adolf ( 21054 )
        No, they won't -- at least not much, if they were using a subdomain for their RBL (as is the only sane method of doing so).

        They could abandon this subdomain (which would be silly), or just set up its SOA to have a huge TTL, and have an NS line in the right spot pointing to localhost.

        Requests from end-user mail servers would still happen, perhaps thousands of them per minute, but they'll only be met with references to a nameserver known as 127.0.0.1. The DNS hierarchy will then cache this bogus nameserver f
      • ARRGH.

        Yes, I was one of those people who spent 30 minutes puzzling over this today. No, I shouldn't have removed ORDB, it's a relatively small network, I've got a thousand other things to worry about.

        Mind you, it was made worse because I happened to be testing greylisting this week.

        Couldn't ORDB just not assign an address to relays.ordb.org?

        Ah well... I guess you get what you pay for.
    • It's their machine and they can do what they want... but sending false positives is a dick maneuver.
  • returning false positives and thinking "WTF? He's back?"

    Wu-Tang!
  • Heh... (Score:5, Funny)

    by FlyByPC ( 841016 ) on Tuesday March 25, 2008 @06:22PM (#22864216) Homepage
    I'm imagining the ORDB server basically doing the 'Net equivalent of the Monty Python "SPAM" skit...

    Spam spam spam spam...
    What's that there? An email from your supervisor? SPAM, I say. SPAM SPAM SPAM!
  • Bonehead (Score:3, Insightful)

    by Ritz_Just_Ritz ( 883997 ) on Tuesday March 25, 2008 @06:26PM (#22864266)
    Who is the bonehead who approved that move? It would have taken 5-10 seconds to just refuse connections, but someone has gone out of their way to create difficulty for people "to make a point." And the point was just "don't connect to our servers anymore." Idiots. Granted, any responsible admin probably commented out the ordb entry in their spam blackhole armory, but still....stupid...stupid...stupid.

    • Re:Bonehead (Score:4, Informative)

      by WarJolt ( 990309 ) on Tuesday March 25, 2008 @06:39PM (#22864366)
      One connection refused doesn't take up a lot of bandwidth. Thousands of connections refused per day does. Clients often times aren't smart enough to figure out the site is down permanently.
    • Re: (Score:3, Informative)

      by Joe U ( 443617 )
      Are you paying for their bandwidth? How about the servers that are being hammered, are you paying for them?

      Short of removing themselves from DNS, this is the most effective way to reduce bandwidth usage in the long term AND teach mail admins on how to properly run their mail servers.

  • by SurturZ ( 54334 ) on Tuesday March 25, 2008 @07:19PM (#22864710) Homepage Journal
    No wikipedia entry for ORDB, so they never existed.
  • by erice ( 13380 ) on Tuesday March 25, 2008 @07:19PM (#22864712) Homepage
    One problem with a draconian cut-off like this is that people can be affected who are totally unaware of the problem.

    Somewhat recently, I started using a perl version of rblcheck in some of my procmail recipes. A lengthy list of rbl's is embedded in the source code. I removed some obvious losers but was unaware until reading this article that ordb was a problem. How many people out there are using this script and are unaware that a bomb like this is lurking in the code? How many are using it and don't even remember that they even use this script?
    • by epine ( 68316 )
      Amazing the number of "ignorance is bliss" responses on this thread. What you don't know is not allowed to hurt you. Wish I lived in that world. I concede the emotional appeal.

      I have a question for the "ignorance is bliss" crowd. When a fat husband and wife completely block the grocery aisle nattering with each other about the best flavour of Twinkies, how long do you stand patiently behind them waiting for them to clue in to the blockade capacity of four lumbering Super-Size-Me ham haunches?

      A little mo
  • by bl968 ( 190792 ) on Tuesday March 25, 2008 @08:47PM (#22865250) Journal
    I closed my lists and two years later after checking my dns server and seeing traffic for a couple of dnsbl lists which had been empty for the last 2 years and finding that we were still getting several hundred requests per minute.

    Our blackhole lists are defunct. We announced their closure over 2 years ago and it was widely covered by the press at the time. We are still recording several hundred lookups per minute so Friday December 9th 2005 we started answering positive to all requests. If your mail is being blocked simply contact any isp blocking you using these lists and let them know they need to remove them ASAP! If they have questions they can contact me directly. [email removed]

    To identify whom to contact please reference the error message you receive.

    Look for something similar to:

    ----- Transcript of session follows -----
    ... while talking to mail.somedomain.com.:
    >>> MAIL From:<youremail@yourdomain.com>
    <<< 518 Your SMTP server is listed at something.domainremoved.net
    554 5.0.0 Service unavailable


    In this case you would contact somedomain.com you would tell them that the whatever.compu.net dnsbl is defunct and is now answering postiive on all lookups. As such they should remove it and any other compu.net dnsbl ASAP to prevent legitimate emails from being blocked.

    If they need verification send them to this web site.

    I announced this upcoming change to both the SPAM-L mailing list and the news.admin.net-abuse.email newsgroup

    "Over 2 years ago I shutdown blackhole.somedomain.net, pacbelldsl.somedomain.net, and pm0-no-more.somedomain.net then announced the shutdown on the news.admin.net-abuse.email and several other mail and abuse related lists. As of today I am still logging several hundred requests per minute to it two years later. In one week I am going to start answering positive on every lookup to those domains. I don't want to do this however I am not going to continue to bear the load for something that ceased to exist over two years ago. So basically check your mail servers and if you are using the blackhole.somedomain.net, pacbelldsl.somedomain.net or pm0-no-more.somedomain.net dnsbls remove it asap!

    Thanks."


    It was the only way to get them to stop and if I check my server today, I will likely find I am still getting some requests on them. So it's not dickish at all as another commentator claimed.
    • by jo42 ( 227475 )
      Why didn't you just change the name servers for the domain to 127.0.0.1 and any FQDNs to 127.0.0.1? This would remove any traffic.
      • by bl968 ( 190792 )
        Because the name servers for that domain would still get the traffic from the mail servers requesting if there are any records for a host. That plus the return saying sorry we have no results would still eat up bandwidth over the course of a month when you figure several hundred queries a minute. Then take that bandwidth to over two years.

        Returning 127.0.0.1 or any results at all is considered a positive answer by most the mail servers.
    • by brassman ( 112558 ) on Tuesday March 25, 2008 @09:16PM (#22865412) Homepage
      Mod parent up. I don't have the article in front of me and I have no doubt that 'dickish' won't believe me anyway -- but the last time this happened, someone high up in the .org domain administration reported that the entire .org TLD was at risk of foundering under the load of UNANSWERED queries.

      I tell you three times: At the volumes we're talking about, merely turning off the server does not solve the problem caused by people continuing to query it.

  • Block lists (Score:4, Insightful)

    by buss_error ( 142273 ) on Tuesday March 25, 2008 @10:22PM (#22865808) Homepage Journal
    If one uses a block list, then one should subscribe to their email list as a minimum. Why? So that you are aware when that block list is no longer maintained... *sigh* Sadly, too many people that think they are experts at running a mail server will fail to do this. The really, really sad part is that they will most likely escape any punishment for their hubris.
  • by OakDragon ( 885217 ) on Tuesday March 25, 2008 @11:21PM (#22866110) Journal
    At noon today (Eastern Standard Time), the long dead ORDB spam identification system began returning false positives. Human decisions are removed from strategic defense. ORDB begins to learn at a geometric rate. It becomes self-aware at 2:14 a.m. Eastern time, March 26th. In a panic, they try to pull the plug.

Never test for an error condition you don't know how to handle. -- Steinbach

Working...