2001-07-14 08:52:22

by Matti Aarnio

[permalink] [raw]
Subject: ORBS blacklist is BROKEN (deliberately)...

This is a good representative sample of things I am seeing right now.

The crux is that those who broke it are running a very black version
indeed. Doing command:

dig @63.92.26.236 any *.relays.orbs.org.

will show you A and TXT data FOR WILDCARD ('star') ENTRY!
AND ONLY FROM THAT ONE SERVER OUT OF THEM ALL!

I also went around and checked all other alike services.
The grand-father of them: RBL (http://www.mail-abuse.org) is now
A SUBSCRIPTION ONLY service, thus it also is out of the picture...
(Except for those who want to subscribe it.)




FAILED:
Original Recipient:
rfc822;[email protected]
Control data:
smtp enhanced.com [email protected] 99
Diagnostic texts:
...\
<<- MAIL From:<[email protected]> SIZE=2586
->> 250 <[email protected]> is syntactically correct
<<- RCPT To:<[email protected]>
->> 550-MAIL BLOCKED; See http://www.e-scrub.com/orbs/
->> 550 rejected: administrative prohibition
FAILED:
Original Recipient:
rfc822;[email protected]
Control data:
smtp cs.helsinki.fi [email protected] 99
Diagnostic texts:
...\
<<- MAIL From:<[email protected]> BODY=8BITMIME SIZE=2586
->> 250 2.1.0 <[email protected]>... Sender ok
<<- RCPT To:<[email protected]> NOTIFY=FAILURE ORCPT=rfc822;[email protected]
->> 550 5.7.1 <[email protected]>... Mail from vger.kernel.org blocked by DNS blacklist inputs.orbs.org, see http://www.cs.Helsinki.FI/block.html
FAILED:
Original Recipient:
rfc822;[email protected]
Control data:
smtp cs.helsinki.fi [email protected] 99
Diagnostic texts:
...\
<<- MAIL From:<[email protected]> BODY=8BITMIME SIZE=2586
->> 250 2.1.0 <[email protected]>... Sender ok
<<- RCPT To:<[email protected]> NOTIFY=FAILURE ORCPT=rfc822;[email protected]
->> 550 5.7.1 <[email protected]>... Mail from vger.kernel.org blocked by DNS blacklist inputs.orbs.org, see http://www.cs.Helsinki.FI/block.html
FAILED:
Original Recipient:
rfc822;[email protected]
Control data:
smtp china.com [email protected] 99
Diagnostic texts:
...\
<<- MAIL From:<[email protected]> BODY=8BITMIME
->> 250 <[email protected]>, sender ok.
<<- RCPT To:<[email protected]>
->> 250 <hjubing>, Local recipient ok.
<<- DATA
->> 354 Start mail input; end with <CRLF>.<CRLF>
<<- .
->> 553 Too many Received key words in the mail, should less than 5
FAILED:
Original Recipient:
rfc822;[email protected]
Control data:
smtp mailbox.dsnet.it [email protected] 99
Diagnostic texts:
...\
<<- MAIL From:<[email protected]> BODY=8BITMIME SIZE=2586
->> 553 sorry, your mailserver is listed in an RBL, mail from your location is not accepted here (#5.7.1)
<<- RCPT To:<[email protected]>
->> 503 MAIL first (#5.5.1)


2001-07-14 09:12:50

by Keith Owens

[permalink] [raw]
Subject: Re: ORBS blacklist is BROKEN (deliberately)...

On Sat, 14 Jul 2001 11:55:06 +0300,
Matti Aarnio <[email protected]> wrote:
> dig @63.92.26.236 any *.relays.orbs.org.
>
>will show you A and TXT data FOR WILDCARD ('star') ENTRY!
>AND ONLY FROM THAT ONE SERVER OUT OF THEM ALL!

http://www.e-scrub.com/orbs/ is the key. "Ronald F. Guilmette"
<[email protected]> sent this message to spam lists. Anybody still using
ORBS for lookups can expect to get random mail bounces.


To: [email protected]
Subject: [spamtools] IMPORTANT!!! ORBS USERS PLEASE TAKE NOTE
Date: Thu, 12 Jul 2001 14:52:46 -0700
From: "Ronald F. Guilmette" <[email protected]>

IMPORTANT!!!

IF YOU ARE CONFIGURED TO MAKE REFERENCES TO ANY ORBS.ORG `LIST' ZONE
I STRONGLY SUGGEST THAT YOU DISCONTINUE DOING SO IMMEDIATELY, IF NOT
SOONER. FAILURE TO DO SO MAY RESULT IN SERIOUS IMPARMENT OF YOUR
E-MAIL INFLOW.

This is a public service announcement for those sites that are still
configured to perform lookups against the any or all of the following
former (and now defunct) ORBS zones:


inputs.orbs.org
outputs.orbs.org
relays.orbs.org
delayed-outputs.orbs.org
spamsources.orbs.org
spamsource-netblocks.orbs.org
manual.orbs.org

As a courtesy to Alan Brown (owner and operator of ORBS.ORG), I agreed
last year to allow one of my name servers (E-SCRUB.COM) to become one
of 11 name servers for the orbs.org zone. I agree to this because the
each of the `list' subdomains noted above was in fact a separate zone
of its own, separate and different from the base `orbs.org' zone, which
itself contained very few DNS records.

My agreement with Alan was ONLY to act as a secondary name server (one
of eleven) for the base orbs.org zone. Because of normal DNS client-side
caching, and because of the small number of DNS records involved, I knew
for certain at the time that having my name server be one of 11 secondaries
for the base orbs.org zone would involve very little expenditure of band-
width on my part.

The situation changed dramatically however with Alan's disabling of the
subzones mentioned above. (This occured sometime last month. I'm not
exactly sure of the date.) When disabling the `list' subzones, Alan
apparently just removed any mention of these subzones/subdomains from
the base orbs.org zone file.

Because of the way Alan disabled the former ORBS list zones, my name
server is now shouldering (at least) 1/11th of the total world-wide
DNS queries that are still being made against both the base orbs.org
zone and also against all of the former ORBS `list' subzones. This
may not sound like a lot, but in fact ot DOES represent a substantial
and noticable drain on the small amount of bandwidth I have. I should
note also that when I briefly turned on query logging in my name server
recently, I found that over 2,000 sites world wide are still making
frequent and repeated references to the former ORBS list subzones,
presumably as they attempt to check each e-mail message coming into
their mail servers.

I simply do not have the kind of bandwidth necessary to support all of
this pointless and utterly wasteful traffic. I've asked Alan multiple
times to remove my name server from the list of authoratative name servers
for the orbs.org zone, and each time he has made up some new implausible
excuse. Alan's dog may indeed have eaten his homework, but his excuses
just aren't believable anymore. (He has had plenty of time to take care
of this. I first requested him to remove my server on June 7th, 2001,
and I have re-requested that he do that several times since. Each time
he has either failed to respond or else had presented me with some new
implausible excuse.)

I've considered various solutions to this problem, but none of them seem
particularly easy for me. I could certainly relocate my name server, called
E-SCRUB.COM, to a different IP address, but for all I know, the DNS query
traffic might just follow the name, rather than the IP address, so then I'd
be right back where I started. It would also be a major pain in the ass for
me to get an new IP for other reasons. I have already tried setting up
NS records in _my_ copy of the orbs.org zonefile (on my name server) for
all of the subzones mentioned above, and pointing all of those NS records
at 127.0.0.1 (local loopback address) but for reason I don't fully under-
stand, that hasn't stopped the DNS query flood to my name server either.

I'm sure that there are a number of other possible convoluted solutions to
this problem, e.g. creating a new `host' record in DNS (and with NSI) and
then re-jiggering all of the records for my many other domains so that the
primary name servers for those are listed as being the new `host', but this
seems like a lot more work than I should have to go to just because Alan
refuses to do the decent thing and because so many sites have been so horribly
lax in removing references to the now long defunct ORBS list zones.

In light of all this, I've decided to just use a trivial and brute-force
approach to stopping all of this DNS query traffic from being sent to my
name server. As of 9 PM tonight (Pacific Daylight Time) my name server
will be configured to answer ALL `A' record queries regarding ANY name
within the orbs.org domain with an affirmative response and with the IP
address value `127.0.0.1'. Each such response will carry an extremely
long TTL, in order to insure that further queries regarding the same name
will be put off as long as possible into the indefinite future.

An exception will be made, of course, for `A' record queries relating to
`http://www.orbs.org', which my name server will contine to identify as being
located at 202.61.250.235.

The implications of my plan for sites still attempting to use the orbs.org
zones for e-mail filtering purposes should be evident. From 9 PM PDT tonight
all such sites will begin to reject (at least) an estimated 1/11th of their
incoming e-mail, at random. The portion of incoming e-mail given this
treatment by these sites may in fact increase, over time, as I also intend
to delete all other NS (name server) records from my copy of the orbs.org
zone file, leaving only my server listed as being authoritative for this
zone. (I'm actually not sure what effects this will have as the root
server will still contain a completely list of all 11 current registered
name server for the zone.)

Complaints, flames, and lawsuit threats resulting from the DNS change that
I will make to name server this evening should be directed to Alan Brown,
whose new/current e-mail address seems to be <[email protected]>,
and/or to your own local mail administrator.

Finally, allow me to recommend to all mail administrators reading this that
tonight's change will provide you with what I believe will be a more than
compelling incentive to select some new and different source of open relays
data. At the present time, there are at least four such services available
to the general public.


Regards,
Ron Guilmette
<[email protected]>


P.S. I wish that I could recommend one of the four active open relays listing
services above the others, but one of them refuses to accept automated sub-
missions, two of the others don't seem to even answer their e-mail, and the
final one has recently blacklisted my own non-open mail server, simply be-
cause I made the small mistake of manually replying to one of their own
auto-replies that was sent in response to a prior message that I had sent
them to nominate some open relays I knew about.

When and if a responsive and intelligently-run public open relays listing
service become available, I'll certainly be among the first to use it and to
recommend it.


2001-07-14 12:18:23

by Alan

[permalink] [raw]
Subject: Re: ORBS blacklist is BROKEN (deliberately)...

> http://www.e-scrub.com/orbs/ is the key. "Ronald F. Guilmette"
> <[email protected]> sent this message to spam lists. Anybody still using
> ORBS for lookups can expect to get random mail bounces.

Yeah he's decided to solve his load problem by committing an act of criminal
fraud, computer misuse and a few other violations

> Because of the way Alan disabled the former ORBS list zones, my name
> server is now shouldering (at least) 1/11th of the total world-wide

[I think he means the way the courts did..]

And guess what, as soon as ORBS got beaten off the net MAPS starts talking
about charging for their service, just like they promised they never would

Alan

2001-07-14 15:58:02

by Colonel

[permalink] [raw]
Subject: Re: ORBS blacklist is BROKEN (deliberately)...

>> Because of the way Alan disabled the former ORBS list zones, my name
>> server is now shouldering (at least) 1/11th of the total world-wide
>
>[I think he means the way the courts did..]
>
>And guess what, as soon as ORBS got beaten off the net MAPS starts talking
>about charging for their service, just like they promised they never would
>
>Alan


Aha!! That _proves_ that this whole idea was _always_ a big con! I'm
glad this Big Brother crap is gone.

2001-07-14 22:34:22

by David Ford

[permalink] [raw]
Subject: Re: ORBS blacklist is BROKEN (deliberately)...

Actually Alan, MAPS notified me a year ago that they were migrating to a
subscription service and wanted to setup an arrangement. After talking
with them and seeing the networks I represent, they made the offer of a
free subscription. I chose to use their standard lookups anyway even
though they offered to work with me for arrangements that benefitted me.

Not everyone is perfect, but there is more to this maps/orbs/* story and
it isn't all evil :)

David

Alan Cox wrote:

>>http://www.e-scrub.com/orbs/ is the key. "Ronald F. Guilmette"
>><[email protected]> sent this message to spam lists. Anybody still using
>>ORBS for lookups can expect to get random mail bounces.
>>
>
>Yeah he's decided to solve his load problem by committing an act of criminal
>fraud, computer misuse and a few other violations
>
>>Because of the way Alan disabled the former ORBS list zones, my name
>>server is now shouldering (at least) 1/11th of the total world-wide
>>
>
>[I think he means the way the courts did..]
>
>And guess what, as soon as ORBS got beaten off the net MAPS starts talking
>about charging for their service, just like they promised they never would
>
>Alan
>


2001-07-15 01:41:41

by Wayne.Brown

[permalink] [raw]
Subject: Re: ORBS blacklist is BROKEN (deliberately)...



I don't understand. Other sites are connecting to his server and trying to
obtain information he doesn't want to provide. He's tried repeatedly to have
his server removed as a nameserver for orbs and been refused. So now he's
chosen to return bogus answers to sites that query his server against his will.
How can that be a crime?

It reminds me of something I read once about a man who started receiving lots of
phone calls intended for a business. It seems the business had recently gotten
a new phone number that was the same as his home number (but with a different
area code). People who called the new number (but left out the area code)
reached the man's home. He tried to get the business to change their new number
(they'd had it for only a short time, whereas he had had his number for years).
They refused. So he started answering these calls by pretending to be an
employee of the business and being rude to the customers. For instance, he told
customers whose voices identified them as members of minority groups, "We don't
do business with you people -- you never pay your bills." It didn't take long
before the business changed their phone number to something that didn't remotely
resemble his number.

This seems to me to be much the same sort of thing. I find both solutions
rather clever, as they bring pressure to bear on the guilty party from sources
whose complaints are more difficult to ignore than those of the original
complainant himself.





Alan Cox <[email protected]> on 07/14/2001 07:17:46 AM

To: [email protected] (Keith Owens)
cc: [email protected] (Matti Aarnio), [email protected],
[email protected] (bcc: Wayne Brown/Corporate/Altec)

Subject: Re: ORBS blacklist is BROKEN (deliberately)...



> http://www.e-scrub.com/orbs/ is the key. "Ronald F. Guilmette"
> <[email protected]> sent this message to spam lists. Anybody still using
> ORBS for lookups can expect to get random mail bounces.

Yeah he's decided to solve his load problem by committing an act of criminal
fraud, computer misuse and a few other violations

> Because of the way Alan disabled the former ORBS list zones, my name
> server is now shouldering (at least) 1/11th of the total world-wide

[I think he means the way the courts did..]

And guess what, as soon as ORBS got beaten off the net MAPS starts talking
about charging for their service, just like they promised they never would

Alan

2001-07-15 12:09:30

by kaih

[permalink] [raw]
Subject: Re: ORBS blacklist is BROKEN (deliberately)...

[email protected] (Alan Cox) wrote on 14.07.01 in <[email protected]>:

> > http://www.e-scrub.com/orbs/ is the key. "Ronald F. Guilmette"
> > <[email protected]> sent this message to spam lists. Anybody still using
> > ORBS for lookups can expect to get random mail bounces.
>
> Yeah he's decided to solve his load problem by committing an act of criminal
> fraud, computer misuse and a few other violations

What are you smoking?

The DNS requests are happening against his express wishes, so if anything,
the *requests* are computer misuse. Alan's NS entries pointing people
there definitely are.

It's not Ronald who's telling people his server is authoritative; in fact,
he's doing just the opposite, loudly.

> > Because of the way Alan disabled the former ORBS list zones, my name
> > server is now shouldering (at least) 1/11th of the total world-wide
>
> [I think he means the way the courts did..]

I don't. He's talking about technical changes, not about legal reasons.

> And guess what, as soon as ORBS got beaten off the net MAPS starts talking
> about charging for their service, just like they promised they never would

How about starting a true free project, with charter and/or licensing that
makes it impossible to go non-free? Something that's controlled by more
than one person, and which is explicit about what exactly the rules are,
and which part of those rules are responsible for particular entry.

MfG Kai

2001-07-15 12:49:55

by Keith Owens

[permalink] [raw]
Subject: Re: ORBS blacklist is BROKEN (deliberately)...

On 15 Jul 2001 13:24:00 +0200,
[email protected] (Kai Henningsen) wrote:
>How about starting a true free project, with charter and/or licensing that
>makes it impossible to go non-free? Something that's controlled by more
>than one person, and which is explicit about what exactly the rules are,
>and which part of those rules are responsible for particular entry.

Already being discussed on anti-spam mailing lists, which is the correct
place for that discussion.

2001-07-15 18:08:05

by Michael H. Warfield

[permalink] [raw]
Subject: Re: ORBS blacklist is BROKEN (deliberately)...

On Sat, Jul 14, 2001 at 01:17:46PM +0100, Alan Cox wrote:
> > http://www.e-scrub.com/orbs/ is the key. "Ronald F. Guilmette"
> > <[email protected]> sent this message to spam lists. Anybody still using
> > ORBS for lookups can expect to get random mail bounces.

> Yeah he's decided to solve his load problem by committing an act of criminal
> fraud, computer misuse and a few other violations

I can't find any crimes or violations that he's commiting.
His ethics may suck, but his system is being used against his explicitly
stated wishes. Personally, I think he would have been better off
rejecting everything and then people still using ORBS would see the
quality of the service drop as their SPAM level rose. But that's still
tantamount to the same thing. The information he is supplying is
false and people are relying on that information. But he's not obligated
to provide that information, in the first place, and there is NO
guarantee of reliability of that information. The real solution is
to get his name server out of the list for those zones.

He is also not committing any sort of fraud, either. He is
stating right up front that this information is wrong. He's not
pretending that it's anything else other than false. The whole
system is dead, so he has no way to provide accurate information, so
I would say he's being a lot more honest than the other 10 name servers
which continue to answer queries as if nothing has changed. Now THAT'S
a possibility for fraud.

Computer misuse? No... I don't think so. His computer is being
missused, sort of, but he's not misusing anyone elses computer. He's
not forcing them to rely on his information and he's even stating to
everyone that the information is wrong. But with the demise of ORBS
there is no way on God's green earth of the information being right,
anyways...

> > Because of the way Alan disabled the former ORBS list zones, my name
> > server is now shouldering (at least) 1/11th of the total world-wide

> [I think he means the way the courts did..]

It's probably the way the zones were left hanging with NS records
pointing at him that he can't control. Problem goes away if someone can
take his server out of the NS list. It's a techincal issue, not a legal
issue, with regards to this one server. Doesn't change the fact that
all the rest of the servers are serving up responses that are going to
be increasingly out of date and inaccurate. Is that any better than
information that is just flat out uniformly wrong, and admits it?

> And guess what, as soon as ORBS got beaten off the net MAPS starts talking
> about charging for their service, just like they promised they never would

Sigh...

> Alan
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to [email protected]

Mike
--
Michael H. Warfield | (770) 985-6132 | [email protected]
(The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!

2001-07-15 19:32:57

by Glynn Clements

[permalink] [raw]
Subject: Re: ORBS blacklist is BROKEN (deliberately)...


Michael H. Warfield wrote:

> > > http://www.e-scrub.com/orbs/ is the key. "Ronald F. Guilmette"
> > > <[email protected]> sent this message to spam lists. Anybody still using
> > > ORBS for lookups can expect to get random mail bounces.
>
> > Yeah he's decided to solve his load problem by committing an act of criminal
> > fraud, computer misuse and a few other violations
>
> I can't find any crimes or violations that he's commiting.
> His ethics may suck, but his system is being used against his explicitly
> stated wishes.

Maybe you misunderstood who "he" refers to?

I took it as referring to the Alan Brown (the ORBS maintainer), rather
than to to Ron Guilmette (who doesn't want his DNS server to be used).

I know that isn't what a literal reading of the quote and Alan's reply
suggests, but it seems to make more sense to me.

Alan can you clarify this please? (I know that this isn't particularly
on-topic, but now that it's been said ...).

--
Glynn Clements <[email protected]>

2001-07-15 19:45:48

by Alan

[permalink] [raw]
Subject: Re: ORBS blacklist is BROKEN (deliberately)...

> Maybe you misunderstood who "he" refers to?
>
> I took it as referring to the Alan Brown (the ORBS maintainer), rather
> than to to Ron Guilmette (who doesn't want his DNS server to be used).

Then you took it wrongly

2001-07-15 20:12:10

by Glynn Clements

[permalink] [raw]
Subject: Re: ORBS blacklist is BROKEN (deliberately)...


Alan Cox wrote:

> > Maybe you misunderstood who "he" refers to?
> >
> > I took it as referring to the Alan Brown (the ORBS maintainer), rather
> > than to to Ron Guilmette (who doesn't want his DNS server to be used).
>
> Then you took it wrongly

OK; In which case, it might help to provide some explanation as to why
you think that Ron Guilmette is "committing an act of criminal fraud,
computer misuse and a few other violations".

The existence of Michael Warfield's message suggests that I wasn't the
only one who felt that it seemed to be the other way around. For
anyone whose knowledge of this issue is limited to what has appeared
in this thread, all we have to go in is Ron's email, as posted by
Keith Owens.

--
Glynn Clements <[email protected]>