Today represents chapter one in the book of why it’s not good to put too much faith in privately-run public resources on the Internet.
Earlier, one of my friends dropped me an email asking if I could help figure out why a friendly piece of mail had been tagged as spam by SpamAssassin. Looking at the mail headers, SpamAssassin had added 3.5 points to the message’s spam score for being passed through mail servers that ostensibly were insecure, and 2.9 of those points were as a result of one of my mail servers being insecure. This set me off investigating, and after making sure that the accused mail server wasn’t actually the problem, I started looking into how it had made it onto the list of insecure machines. Imagine my surprise when I discovered that every single mail server on the Internet has been added to the insecure list, and that every mail system that consults the list is now using that information while making decisions about whether or not to deliver email sent through those servers.
(Let’s take a detour here into a short explanation of the list of insecure machines, otherwise known as a DNS-based blackhole list. Over the past few years, administrators of the servers that route email around the Internet have taken actions to make sure that only authorized people can use those servers. Email spammers have hunted around the net to find servers that haven’t been secured, and then have used those servers to send out their millions of unwanted ads. In response, various groups have created lists of the unsecured servers, as well as automated methods to check the lists for whether or not a mail server is on them. These automated methods have been built into dozens of mail filtering systems, each of which use the information in different ways in an attempt to determine whether the mail they’re filtering is legitimate. In the end, the lists help determine whether an end-user sees a piece of email, or whether it’s doomed to a junk mail folder, never to be seen.)
Now, back to today. In looking into how it was that my mail server had been blacklisted, I started playing around and found out that any mail server I checked came back as insecure. Worried that the list had been hacked, I decided to call the administrator, Osirusoft’s Joe Jared. It was trivial to get him on the phone, and he readily admitted that his lists were no longer functional, asking that I stop using them. He sounded cantankerous, so I didn’t push him too hard on it, instead opting to go the Google route for further investigation. In doing so, I found out that all of the blacklist providers have been the victims of a coordinated attempt to shove them offline over the past few weeks. Most of the providers just took their lists down for the time being, assuming that all the mail filters that used them would just figure out that they couldn’t access the information and move on. Differently, Osirusoft decided that the way to handle the assault was to blacklist every single mailserver on the Internet, which meant that any filter system that used its list would automatically consider every email as more likely to be spam. In other words, instead of simply no longer providing the service, Joe Jared specifically decided to do a disservice to the Internet, saying that he felt there was no other way to handle the situation.
So, until Jared decides to stop putting whoopie cushions on the seats of most email users, people need to change their mail filters to stop using the Osirusoft blacklist. If you use SpamAssassin, doing so involves making a few small changes to your setup. First, copy these lines:
score RCVD_IN_OSIRUSOFT_COM 0 score X_OSIRU_DUL 0 score X_OSIRU_DUL_FH 0 score X_OSIRU_OPEN_RELAY 0 score X_OSIRU_SPAMWARE_SITE 0 score X_OSIRU_SPAM_SRC 0
Now, if you want to make the changes to your entire sitewide SpamAssassin installation (which is highly recommended), paste the lines into your local.cf file (located on most Unix machines in the /etc/mail/spamassassin folder). If you want to make them only to your own personal filters, paste them into your user_prefs file (usually located in your home directory, in a subdirectory named .spamassassin). If you use the always-running spamd server, make sure to restart it so that it rereads the rules files.
I’d love to recommend some other blacklist to use instead of the Osirusoft one, but reading a bit today about the effects of Jared’s decision to turn his blacklist into a black hole, I fear that part of the solution is relying less on privately-run services that can cause the same problem in the future.
I ran into this as well just tonight in trying to set up a mail-processing script. All of my test emails were getting caught by SpamAssassin that is running on a differnet server, all being scored like this:
SPAM: RCVD_IN_OSIRUSOFT_COM (0.4 points) RBL: Received via a relay in relays.osirusoft.com
SPAM: [RBL check: found 000.000.000.00.relays.osirusoft.com.]
SPAM: X_OSIRU_OPEN_RELAY (2.7 points) RBL: DNSBL: sender is Confirmed Open Relay
(note, the real IP address has been zeroed out)
• Posted by: Cam on Sep 2, 2003, 10:47 PMThanks for this tip it solved my problems.
• Posted by: Doug Robb on Dec 1, 2003, 8:32 PM