[Techtalk] sendmail/RBL question (linuxchix)
Linda Laubenheimer
ljl at rahul.net
Thu Mar 28 15:29:40 EST 2002
Note,
Since my response to this email concerns Paul Vixie, I have CC'd him
on this email. It's only fair. I hope he actually joins this list
and responds himself. He is, after all, an advocate and sponsor of
Open Source software.
Sunni Maravillosa wrote:
>
> Hi everyone,
>
> I have a possibly confusing question, because in typical newbie
> fashion, I may be confusing a couple of different things. First, some
> background.
>
> I'm on a couple of email discussion lists, and on one, spam
> occasionally gets through the owner's filters and blocks. Someone on
> the list has taken it upon himself to complain to the "spam police",
> which has created lots of problems for the list owner. In short, now
> many legitimate messages get bounced because of what he's done to try
> to eliminate spam, and getting RBL'ed (Real Time Blacklisted, in case
> anyone doesn't know).
It seems like the list owner has more problems than just being unable
to stop spammers to the list. He may be running an open relay. As I
recall, only open relays end up RBL's, and the MAPS people actually
test to see if the mail relay is actually open.
> I've been doing some researching on this, and found one site that makes
> a claim that the sendmail program has RBL stuff built in. Here's the
> text from the page, http://www.ifn.net/rblstory.htm:
"Story" is right... This is the most inflammatory piece of propaganda
I've read in a long time. Even Hollings and Disney don't lay it on
quite as thick. The only thing missing is a reference to Hitler. As it
is, they reference McVeigh, and "Sherman's march to the sea".
> "RBL's work is made easier by the complicity of two other
> organizations.
>
> "The first is 'sendmail.com', the commercial provider of the email
> processing software that is
> probably the most widely used by online providers, and the organization
> it officially recognizes
> to support its open distribution software, 'sendmail.org'. As their web
> site will tell you, they are
> intimately linked to RBL; their web site is, in fact, hosted by the
> Internet Software Consortium,
> which is listed at the same address as RBL itself, with Paul Vixie as
> its technical contact. And
> in the recent versions of 'sendmail', RBL intrusion capability is built
> in. Coincidence? Maybe.
> In any case, it means two things. First, it is software with someone
> else's view of a desired
> social order built into it. And second, when providers update their
> software from time to time,
> if they update 'sendmail' they may be enabling RBL, and thus block some
> email to their
> customers, without even realizing that it happened."
This article is biased and full of distorted half truths and
inflammatory rhetoric. Paul Vixie may be eccentric, but he isn't
malicious. I've worked with him.
For starters, ISC (Vixie's non-profit) does not distribute sendmail.
In fact, the ISC servers run Postfix - because sendmail is too clunky
and insecure!! If you don't believe me, visit www.isc.org.
The software that ISC distributes is BIND, DHCP, and INN. Period.
While they may have links to others, they don't have anything to do
with writing it. Hell, ISC has only a few employees, mostly to run
Paul's compile farm (machines that are available to various open source
organizations to compile and test software on) and his small onsite
hosting area, which he makes available cheap to non-profit/open source
servers.
The sendmail.org's web site has this line: "The past support of Paul
Vixie and the Internet Software Consortium is gratefully appreciated."
Believe me, if I had a site hosted in Vixie's area for cheap or free
(I'm not sure how much he charges), I would be damn grateful too. One
of the biggest expenses for open source can be server space and
bandwidth. Also, I believe Paul maintains one of the major
authoritative name servers on the west coast of the US - out of ISC's
pocket, which is mostly his own.
Second, Paul's (and his organization's) philosophy is based around the
idea of giving people choices. RBL is not enabled by default at his
urging or request. And in Postfix, you specifically have to install
and enable it.
Third, many people try to slam Paul and MAPS for the RBL and such.
Most of these people are those too lazy, incompetent, or unethical
to secure their open relays, which are what enable spammers to dump
tons of cr at p in your mailbox. Then they get all unhappy when they
get RBL'd for being a spam-haven or spam enabler. The legitimate
businesses don't stop to think that the spammers are stealing
resources from *them*, too (bandwidth is an expense, and spam eats
it), and plugging the hole can save them money.
The line in the article that tells me they are spammer sympathizers
is "Without either endorsing or condemning bulk or unsolicited email,
we don't believe it is our right, or the right of any third party, to
restrict, or facilitate the restriction, of the legitimate conduct
of a business." The fact that they consider UCE "legitimate" conduct
of business is telling. The lurid red on black is another clue that
they are spinning the truth to suit their version of reality. The
whole article enraged me - so many half truths and distorted facts
spun with the most malevolent twist I have seen in years. These guys
could get a job writing propaganda in any totalitarian regime.
Finally, don't believe everything you read on the web, especially when
it is couched in inflammatory rhetoric.
> Okay, here's the question (actually, more than one): This is referring
> to the sendmail program lots of Linux boxes have, right? So an open
> source program has blocking stuff built in?
I believe than you *can* enable RBL with sendmail, but it is not on by
default. If you are in doubt, get rid of sendmail and use postfix,
which is much easier to configure and use (from my experience), and is
more secure.
> Assuming those answers are yes... Is there any way to avoid using
> sendmail? Or can one disable the RBL capability of sendmail?
To the best of my knowledge, sendmail does *not* have RBL enabled by
default. The article was FUD from people who are probably paid by,
or profit from, spammers. To install RBL in any mailer I know of,
you have to deliberately put it there.
Disclaimer and info: I used to work for Nominum Inc, which was
founded by Paul Vixie, and who wrote the latest version of BIND, and
I think they also maintain DHCP under contract with ISC. We shared
office space with Paul, ISC and MAPS. Paul Vixie is also a high
level exec for PAIX, which has a very secure colo facility in Palo
Alto, California. Several non-profit and open source .org also have
colo servers there, courtesy Paul Vixie.
See also the Vixie Enterprises page, http://www.vix.com/
Linda
--
Linda J Laubenheimer - UNIX Geek, Sysadmin, Bibliophile and Iconoclast
http://www.modusvarious.net/ - consultants available
http://www.laubenheimer.net/ - personal demo site
http://www.geocities.com/laubenheimer/ - web design gaffes (I wouldn't
disgrace a real ISP with these) and rants about bad design.
More information about the Techtalk
mailing list