ORBS helps hackers to break into srevers
Hello I will say about my experience with ORBS (as network administrator) because the peoples associated with qmail have given good recommendation to use and base on ORBS as good anti-spam method. I let to be another opinion! After crush of one of Polish Cardiac Society's Server placed in Lodz (I administrate others servers) I have been asked to help with administrating and making secure of this host. Till September it was really insecure and indicated (as I think and see) by ORBS as insecure. Exactly - not excluded - that already this time helped it hackers "to find it as easy to break". Since October, after crush I have installed - nota bene recommended by ORBS and this mailing list software - so, qmail as mail system and tcpserver provided to secure qmail as well as telnetd, ftpfd and others insecure Internet's daemons. November 5, I have observed the proof of port scanning thus relay-test by ORBS. There are accepted by secured against open relay smtp, because ORBS applied to allocate addresses with domain of tested host (also @lodz.ptkardio.pl). The test was continued till November 9, This time I was taken away from my Hospital - I was participating at Polish Medical Internet Conference, where I have said about qmail and tcpserver as good security system to Internet servers too. "Nov 5 10:49:13 sun smtp: tcpserver: ok 16751 :212.51.193.152:25 relaytest.orbs. vuurwerk.nl:194.178.232.55::4445" This time was the proof to attack this server, prior "tested by orbs" The hackers have not broken the tcpserver, but system are not responding and this time we can't give our reaction. Now when the friends from Lodz had rebooted the server, it has been worked correctly. I was beginning to analyze of logs The logs have indicated the Romania as hackers place: "Nov 9 12:13:05 sun telnet: tcpserver: deny 18305 :212.51.193.152:23 falconsrl.r dsnet.ro:193.231.236.12::3802" All has been after this attack in short time restored. But in some time ORBS was beginning again the test. And in this same time I have observed again more proofs of hacking - good luck - without damaging. I have send to ORBS the requests to cancel me from their data base and stop with testing, because I'm of opinion, that this data base use first of all hackers. If during test has been by me observed increased activity of attack I can suppose, that hackers this time have information which host is tested and which one host is established as insecure. Where! I have blocked smtp machines to bounce all mail's from ORBS: Effect is good, but ORBS apply be still active: "Nov 20 00:22:39 sun smtp: tcpserver: deny 7226 :212.51.193.152:25 mail2.manawatu .net.nz:202.36.148.21:postmaster:1932" WHY! PLEASE DON'T RECOMMEND ATE ORBS. There are criminal activity. My host can by during its appreciation damaged! Please say my please, what do to ORBS shall finish with " standing before doors of my house and proofing which one keys may be useful to open it" The letter are very long, but a problem for me very much Please help to stop criminal activity Piotr Kasztelowicz, MD -- Piotr Kasztelowicz <[EMAIL PROTECTED]> [http://www.am.torun.pl/~pekasz]
Re: ORBS helps hackers to break into srevers
On Mon, Nov 20, 2000 at 01:35:20AM +0100, Piotr Kasztelowicz wrote: > I will say about my experience with ORBS (as network administrator) > because the peoples associated with qmail have given good recommendation > to > use and base on ORBS as good anti-spam method. > > I let to be another opinion! > > After crush of one of Polish Cardiac Society's Server placed in Lodz (I > administrate others servers) I have been asked to help with > administrating > and making secure of this host. Till September it was really insecure > and indicated > (as I think and see) by ORBS as insecure. Okay, so ORBS thought the previous incarnation of the mail host was an open relay. > Exactly - not excluded - that > already > this time helped it hackers "to find it as easy to break". You mean by relaying through the server? I believe ORBS only divulges open relay IPs when the hosts in question persist in being open relays. Presuming your server didn't reach that point, the only way spammers could have found it was by looking up your IP at random through the ORBS DNS or by scanning the net. > Since October, after crush I have installed - nota bene recommended by > ORBS > and this mailing list software - so, qmail as mail system and tcpserver > provided to secure qmail as well as telnetd, ftpfd and others insecure > Internet's daemons. Gotcha. > November 5, I have observed the proof of port scanning thus relay-test > by > ORBS. There are accepted by secured against open relay smtp, because > ORBS > applied to allocate addresses with domain of tested host (also > @lodz.ptkardio.pl). Ok. > The test was continued till November 9, This time I was taken away from > my Hospital - I was participating at Polish Medical Internet Conference, > where > I have said about qmail and tcpserver as good security system to > Internet servers too. > > "Nov 5 10:49:13 sun smtp: tcpserver: ok 16751 :212.51.193.152:25 > relaytest.orbs. > vuurwerk.nl:194.178.232.55::4445" > > > This time was the proof to attack this server, prior "tested by orbs" That log snippet only shows that ORBS connected to your SMTP service. That is hardly an attack. > The hackers have not broken the tcpserver, but system are not responding > and this time we can't give our reaction. Now when the friends from Lodz > had rebooted the server, it has been worked correctly. I was beginning > to analyze of logs > > The logs have indicated the Romania as hackers place: > > "Nov 9 12:13:05 sun telnet: tcpserver: deny 18305 :212.51.193.152:23 > falconsrl.r > dsnet.ro:193.231.236.12::3802" > > All has been after this attack in short time restored. But in some time > ORBS was beginning > again the test. And in this same time I have observed again more proofs > of hacking - > good luck - without damaging. That's ridiculous. How could a failed connection attempt from a host in Romania be considered a crack attempt? What does it have to do with ORBS? > I have send to ORBS the requests to cancel me from their data base and > stop with > testing, because I'm of opinion, that this data base use first of all > hackers. You can certainly ask them to stop testing, but the ORBS database doesn't keep top secret information, it is just a list of IPs. There are many interesting hosts out there, most of which aren't listed in ORBS. > If during test has been by me observed increased activity of attack I > can suppose, > that hackers this time have information which host is tested and which > one host is > established as insecure. Where! ORBS only lists hosts that are open mail relays. ORBS doesn't check for any other vulnerabilities. > I have blocked smtp machines to bounce all mail's from ORBS: Effect is > good, but > ORBS apply be still active: > > "Nov 20 00:22:39 sun smtp: tcpserver: deny 7226 :212.51.193.152:25 > mail2.manawatu > .net.nz:202.36.148.21:postmaster:1932" > > WHY! Is that even an ORBS tester, or are you now blocking legitimate mail? > PLEASE DON'T RECOMMEND ATE ORBS. There are criminal activity. My host > can by > during its appreciation damaged! 129.63.206.57. That's an IP, I just listed an IP. Am I a criminal? The story I got so far is ORBS tested your machine and found it to be an open relay. You fixed it and ORBS tested you again. Meanwhile there were isolated connection attempts from Romania and a system crash you haven't firmly correlated to anything else. Given those facts, solar flares seems a more plausible culprit than ORBS. PGP signature
Re: ORBS helps hackers to break into srevers
On Sun, 19 Nov 2000, Alex Pennace wrote: > The story I got so far is ORBS tested your machine and found it to be > an open relay. You fixed it and ORBS tested you again. Meanwhile there > were isolated connection attempts from Romania and a system crash you > haven't firmly correlated to anything else. > The hackers read ORBS data base called by its "insecure hosts" and apply to break hosts direclty from list! The ORBS insecure hosts' data base is possible to read for all, but I think logic, that should be first of all for administator of indicated host, and when they made nothing to improve security, then could be disscused to inform about such host widely. Also answer the question why, the hackers finished with proofs, when I have blocked complete access to my host for ORBS? And why I'm existing still in data base of insecure hosts, when my host is already secure and works on recommended software (qmail, tcpserver)? I'm existing, because I let me to request to finish scanning smtp my host and I'm established by ORBS as "bad"? I think, that Internet's societies should be sensitive for all organization on Net, wich gives itself the privileges to say where is correct and where is incorect. Best Wishes Piotr --- Piotr Kasztelowicz <[EMAIL PROTECTED]> [http://www.am.torun.pl/~pekasz]
Re: ORBS helps hackers to break into srevers
On Mon, Nov 20, 2000 at 02:14:57AM +0100, Piotr Kasztelowicz wrote: > The hackers read ORBS data base called by its "insecure hosts" > and apply to break hosts direclty from list! ORBS only lists hosts that are open mail relays. ORBS doesn't list hosts that are not open relays but have other vulnerabilities. ORBS is not a list of hosts with insecure telnet daemons. ORBS is not a list of hosts with insecure ftp daemons. > The ORBS insecure hosts' data base is possible to read for all, > but I think logic, that should be first of all for administator > of indicated host, and when they made nothing to improve security, > then could be disscused to inform about such host widely. ORBS is meant to blacklist problem hosts immediately, to curtail damage to other systems. > Also answer the question why, the hackers finished with proofs, > when I have blocked complete access to my host for ORBS? Maybe the "hackers" have nothing to do with ORBS. Your only shred of proof is a connection attempt to telnet from Romania. > And why I'm existing still in data base of insecure hosts, > when my host is already secure and works on recommended software > (qmail, tcpserver)? I'm existing, because I let me to request > to finish scanning smtp my host and I'm established by ORBS > as "bad"? Send mail to ORBS and try to resolve this with them. PGP signature
Re: ORBS helps hackers to break into srevers
Hello > ORBS only lists hosts that are open mail relays. ORBS doesn't list > hosts that are not open relays but have other vulnerabilities. > > ORBS is not a list of hosts with insecure telnet daemons. > > ORBS is not a list of hosts with insecure ftp daemons. It not difficult to spuppose, that if MTA were old and insecure=possible for open relay the rest of sotwares are insecure too. There is problem with them, tha the list of "relay host's" is widely published on net, instead to send it interested admin. > Send mail to ORBS and try to resolve this with them. ORBS has ignored all letters and will not stop scanning of my host Best Wishes Piotr --- Piotr Kasztelowicz <[EMAIL PROTECTED]> [http://www.am.torun.pl/~pekasz]
Re: ORBS helps hackers to break into srevers
On Mon, Nov 20, 2000 at 07:08:55AM +0100, Piotr Kasztelowicz wrote: > > Send mail to ORBS and try to resolve this with them. > > ORBS has ignored all letters and will not stop scanning > of my host Hello, this list is for discussion of qmail, if you wish to discuss orbs please take this to SPAM-L or elsewhere. Thanks, --Adam -- Adam McKenna <[EMAIL PROTECTED]> | "No matter how much it changes, http://flounder.net/publickey.html | technology's just a bunch of wires GPG: 17A4 11F7 5E7E C2E7 08AA| connected to a bunch of other wires." 38B0 05D0 8BF7 2C6D 110A| Joe Rogan, _NewsRadio_ 1:28am up 162 days, 23:44, 12 users, load average: 0.07, 0.10, 0.37
Re: ORBS helps hackers to break into srevers
On Mon, 20 Nov 2000, Adam McKenna wrote: > Hello, this list is for discussion of qmail, if you wish to discuss orbs > please take this to SPAM-L or elsewhere. The answer for all subscibers, Adam, I am not sure that this is disscusion for spam-l rather than qmail list. Qmail is one MTA only, which suports and propagates ORBS "moral" and technical thus availablility to connect with qmail platform to ORBS and reject mail from listed by ORBS hosts. Neither sendmail nor postfix is interested with ORBS anty-spam system and don't support ORBS. The ORBS system is also by sendmail's and postfix's team not accepted. There only qmail administrators may use ORBS. If qmail team will resign to support ORBS their criminal story will be finished. Also you as qmail propagator too has more to deceide with them. This is also great question to you. In my opinion ORBS - there are hackers supporters and first of all the hackers use the effects of its test to search "good" for hacking hosts. I have presented it on this list. Addtionaly - this is difficult to discuss with ORBS, while no person's name, who manage with them has been listed on ORBS WWW page. This is realy last posting form me on this subject and I think all has been said. I hope to be reason to think about this problem, which depends me personal and as I suppose the many host's admin Piotr Kasztelowicz, MD Vicepresident of Polish Medical Internet Society --- Piotr Kasztelowicz <[EMAIL PROTECTED]> [http://www.am.torun.pl/~pekasz]
Re: ORBS helps hackers to break into srevers
> Qmail is one MTA only, which suports and propagates ORBS "moral" and > technical thus availablility to connect with qmail platform to ORBS > and reject mail from listed by ORBS hosts. > > Neither sendmail nor postfix is interested with ORBS anty-spam system and don't >support ORBS. > The ORBS system is also by sendmail's and postfix's team not accepted. > There only qmail administrators may use ORBS. This is NOT true, and you are way off mark. 1. There is no official support of ORBS to my knowledge from QMAIL and its authors, not in the way you are implying in your posting to this list. 2. Sendmail and postfix and ALL other mailprograms/MTA's that support RBL-type blocking, will automaticly support ORBS and any other lists like it. 3. There are several conserend QMAIL admins how desperatly try to make their workload less affected by other mail-administrators poorly secured servers. 4. There are several other mail admins that run other MTA-software, who also run with ORBS with or without the "support" of the MTA-vendor. > If qmail team will resign to support ORBS their criminal story will be finished. > Also you as qmail propagator too has more to deceide with them. > This is also great question to you. You seem to mean that ORBS has done something wrong to you and/or others, yet you have little or no evidence of your claims about criminal activities. > In my opinion ORBS - there are hackers supporters and first of all the > hackers use the effects of its test to search "good" for hacking hosts. You seemed to have messed up you server and are now blaming ORBS for it, your hacker visits could JUST aswell found your server like they did BEFORE you where reported to ORBS and subsequently listed there. > I have presented it on this list. > Addtionaly - this is difficult to discuss with ORBS, > while no person's name, who manage with them has been listed on ORBS WWW page. His name is Alan Brown, and on his www.orbs.org page he has a [EMAIL PROTECTED] as the contact address which should get you in contact with the adminitrators. > This is realy last posting form me on this subject and I think > all has been said. I hope to be reason to think about this problem, > which depends me personal and as I suppose the many host's admin You should realy get your server RE-TESTET, if it is secure it will be removed but this is only possible if you are NOT blocking ORBS. Your earlyer mails said you where blocking ORBS, maybe ORBS administrators are TRYING to get in contact with you? Regards André Paulsberg
Re: ORBS helps hackers to break into srevers
[sorry but this was just too much...] On Mon, Nov 20, 2000 at 01:33:22PM +0100, Piotr Kasztelowicz wrote: > Qmail is one MTA only, which suports and propagates ORBS "moral" and > technical thus availablility to connect with qmail platform to ORBS > and reject mail from listed by ORBS hosts. > Neither sendmail nor postfix is interested with ORBS anty-spam system > and don't support ORBS. The ORBS system is also by sendmail's and > postfix's team not accepted. There only qmail administrators may > use ORBS. That is WRONG. I use ORBS on a number of servers that run sendmail, postfix and Exim. It works like a charm, keeps out spam and has a few too many false positives, which come in thru my secondary MX's (real spammers don't usually retry sending to a fallback host...) > If qmail team will resign to support ORBS their criminal story > will be finished. Also you as qmail propagator too has more > to deceide with them. This is also great question to you. Who is the qmail team? I have never heard of them and would like to make their acquaintance. > In my opinion ORBS - there are hackers supporters and first of > all the hackers use the effects of its test to search "good" for > hacking hosts. I have presented it on this list. Addtionaly - this > is difficult to discuss with ORBS, while no person's name, who > manage with them has been listed on ORBS WWW page. > This is realy last posting form me on this subject and I think > all has been said. I hope to be reason to think about this problem, > which depends me personal and as I suppose the many host's admin Can you please provide proof for ORBS supporting script kiddies? If you mean that the OBRS list of potential relaying host as such constitutes help to script kiddies, why does this not apply to other RBL lists? And what technical solution to spreading such lists of IP's in a secure manner do you propose? > Piotr Kasztelowicz, MD > Vicepresident of Polish Medical Internet Society -Johan Almqvist First Executive President of the International Swedish Society for Spam Prevention, Yet To Be Founded. -- Johan Almqvist
Re: ORBS helps hackers to break into srevers
On Mon, Nov 20, 2000 at 01:33:22PM +0100, Piotr Kasztelowicz wrote: > On Mon, 20 Nov 2000, Adam McKenna wrote: > > > Hello, this list is for discussion of qmail, if you wish to discuss orbs > > please take this to SPAM-L or elsewhere. > > The answer for all subscibers, Adam, I am not sure that this is disscusion > for spam-l rather than qmail list. *PLONK* --Adam
Re: ORBS helps hackers to break into srevers
On Mon, Nov 20, 2000 at 07:08:33AM +0100, Piotr Kasztelowicz wrote: > It not difficult to spuppose, that if MTA were old and > insecure=possible for open relay the rest of sotwares > are insecure too. There are many insecure hosts that are not on the ORBS list simply because they are not running an open relay. There are many hosts listed in ORBS that are otherwise secure but someone made an oopsie. In particular, I believe many older but still prevalent Linux distributions came with MTAs that were open relays by default but were otherwise secure. > There is problem with them, tha > the list of "relay host's" is widely published on net, > instead to send it interested admin. Let's entertain your thoughts on security: if a host is truly comprimised either by being an open relay or other vulnerability, why should other hosts have to endure abuse from it? ORBS allows other administrators to block out a certain subset of hosts. And even without ORBS there are still plenty of ways for the local script kiddie to find your system. PGP signature
Re: ORBS helps hackers to break into srevers
On Mon, 20 Nov 2000, OK 2 NET - André Paulsberg wrote: > This is NOT true, and you are way off mark. > > 1. There is no official support of ORBS to my knowledge from QMAIL and its authors, >not in the way you are implying in your posting to this list. > > 2. Sendmail and postfix and ALL other mailprograms/MTA's that support RBL-type >blocking, >will automaticly support ORBS and any other lists like it. OK, you are right, I'm sorry Piotr --- Piotr Kasztelowicz <[EMAIL PROTECTED]> [http://www.am.torun.pl/~pekasz]
Re: ORBS helps hackers to break into srevers
Piotr Kasztelowicz writes: > Qmail is one MTA only, which suports and propagates ORBS "moral" Who does this? Not me. If anybody asks about ORBS, I tell them not to use it. -- -russ nelson <[EMAIL PROTECTED]> http://russnelson.com Crynwr sells support for free software | PGPok | The best way to help the poor 521 Pleasant Valley Rd. | +1 315 268 1925 voice | is to help the rich build Potsdam, NY 13676-3213 | +1 315 268 9201 FAX | up their capital.
Re: ORBS helps hackers to break into srevers
Hello > Who does this? Not me. If anybody asks about ORBS, I tell them not > to use it. OK :-), Sorry if you have take my remarks personal. I had many problems with ORBS and will say that negative results of its activity should be streng said. If you are this same opinion as I - OK, thank you Best Wishes from Torun Piotr --- Piotr Kasztelowicz <[EMAIL PROTECTED]> [http://www.am.torun.pl/~pekasz]
