[Techtalk] sendmail/RBL question (linuxchix)

[Linda Laubenheimer]

Note, 

Since my response to this email concerns Paul Vixie, I have CC'd him 
on this email.  It's only fair.  I hope he actually joins this list 
and responds himself.  He is, after all, an advocate and sponsor of 
Open Source software.

Sunni Maravillosa wrote:
> 
> Hi everyone,
> 
> I have a possibly confusing question, because in typical newbie
> fashion, I may be confusing a couple of different things. First, some
> background.
> 
> I'm on a couple of email discussion lists, and on one, spam
> occasionally gets through the owner's filters and blocks. Someone on
> the list has taken it upon himself to complain to the "spam police",
> which has created lots of problems for the list owner. In short, now
> many legitimate messages get bounced because of what he's done to try
> to eliminate spam, and getting RBL'ed (Real Time Blacklisted, in case
> anyone doesn't know).

It seems like the list owner has more problems than just being unable 
to stop spammers to the list.  He may be running an open relay.  As I 
recall, only open relays end up RBL's, and the MAPS people actually 
test to see if the mail relay is actually open.

> I've been doing some researching on this, and found one site that makes
> a claim that the sendmail program has RBL stuff built in. Here's the
> text from the page, http://www.ifn.net/rblstory.htm:

"Story" is right...  This is the most inflammatory piece of propaganda 
I've read in a long time.  Even Hollings and Disney don't lay it on 
quite as thick.  The only thing missing is a reference to Hitler.  As it 
is, they reference McVeigh, and "Sherman's march to the sea".

> "RBL's work is made easier by the complicity of two other
> organizations.
> 
> "The first is 'sendmail.com', the commercial provider of the email
> processing software that is
> probably the most widely used by online providers, and the organization
> it officially recognizes
> to support its open distribution software, 'sendmail.org'. As their web
> site will tell you, they are
> intimately linked to RBL; their web site is, in fact, hosted by the
> Internet Software Consortium,
> which is listed at the same address as RBL itself, with Paul Vixie as
> its technical contact. And
> in the recent versions of 'sendmail', RBL intrusion capability is built
> in. Coincidence? Maybe.
> In any case, it means two things. First, it is software with someone
> else's view of a desired
> social order built into it. And second, when providers update their
> software from time to time,
> if they update 'sendmail' they may be enabling RBL, and thus block some
> email to their
> customers, without even realizing that it happened."

This article is biased and full of distorted half truths and 
inflammatory rhetoric.  Paul Vixie may be eccentric, but he isn't 
malicious.  I've worked with him.

For starters, ISC (Vixie's non-profit) does not distribute sendmail.  
In fact, the ISC servers run Postfix - because sendmail is too clunky 
and insecure!!  If you don't believe me, visit www.isc.org.  

The software that ISC distributes is BIND, DHCP, and INN.  Period.  
While they may have links to others, they don't have anything to do 
with writing it.  Hell, ISC has only a few employees, mostly to run 
Paul's compile farm (machines that are available to various open source 
organizations to compile and test software on) and his small onsite 
hosting area, which he makes available cheap to non-profit/open source 
servers.

The sendmail.org's web site has this line: "The past support of Paul 
Vixie and the Internet Software Consortium is gratefully appreciated."
Believe me, if I had a site hosted in Vixie's area for cheap or free 
(I'm not sure how much he charges), I would be damn grateful too.  One 
of the biggest expenses for open source can be server space and 
bandwidth.  Also, I believe Paul maintains one of the major 
authoritative name servers on the west coast of the US - out of ISC's 
pocket, which is mostly his own.

Second, Paul's (and his organization's) philosophy is based around the 
idea of giving people choices.  RBL is not enabled by default at his 
urging or request.  And in Postfix, you specifically have to install 
and enable it.

Third, many people try to slam Paul and MAPS for the RBL and such.  
Most of these people are those too lazy, incompetent, or unethical 
to secure their open relays, which are what enable spammers to dump 
tons of cr at p in your mailbox.  Then they get all unhappy when they 
get RBL'd for being a spam-haven or spam enabler.  The legitimate 
businesses don't stop to think that the spammers are stealing 
resources from *them*, too (bandwidth is an expense, and spam eats 
it), and plugging the hole can save them money.

The line in the article that tells me they are spammer sympathizers 
is "Without either endorsing or condemning bulk or unsolicited email, 
we don't believe it is our right, or the right of any third party, to 
restrict, or facilitate the restriction, of the legitimate conduct 
of a business."  The fact that they consider UCE "legitimate" conduct 
of business is telling.  The lurid red on black is another clue that 
they are spinning the truth to suit their version of reality.  The 
whole article enraged me - so many half truths and distorted facts 
spun with the most malevolent twist I have seen in years.  These guys 
could get a job writing propaganda in any totalitarian regime.

Finally, don't believe everything you read on the web, especially when 
it is couched in inflammatory rhetoric.

> Okay, here's the question (actually, more than one): This is referring
> to the sendmail program lots of Linux boxes have, right? So an open
> source program has blocking stuff built in?

I believe than you *can* enable RBL with sendmail, but it is not on by 
default.  If you are in doubt, get rid of sendmail and use postfix, 
which is much easier to configure and use (from my experience), and is 
more secure.

> Assuming those answers are yes... Is there any way to avoid using
> sendmail? Or can one disable the RBL capability of sendmail?

To the best of my knowledge, sendmail does *not* have RBL enabled by 
default.  The article was FUD from people who are probably paid by, 
or profit from, spammers.  To install RBL in any mailer I know of, 
you have to deliberately put it there.

Disclaimer and info: I used to work for Nominum Inc, which was 
founded by Paul Vixie, and who wrote the latest version of BIND, and 
I think they also maintain DHCP under contract with ISC.  We shared 
office space with Paul, ISC and MAPS.  Paul Vixie is also a high 
level exec for PAIX, which has a very secure colo facility in Palo 
Alto, California.  Several non-profit and open source .org also have 
colo servers there, courtesy Paul Vixie.

See also the Vixie Enterprises page, http://www.vix.com/

					Linda 
-- 
Linda J Laubenheimer - UNIX Geek, Sysadmin, Bibliophile and Iconoclast
http://www.modusvarious.net/ - consultants available
http://www.laubenheimer.net/ - personal demo site
http://www.geocities.com/laubenheimer/ - web design gaffes (I wouldn't 
disgrace a real ISP with these) and rants about bad design.