Hi Anders, It looks like SuSE may have been a victim of what I will call the "blackhole attack", or more properly the "open mail relay blackhole list attack", a new twist on a denial of service attack which subverts the Internet's own self-help organizations in order to disrupt email services. If a mail server acts as an open mail relay, then a spammer-attacker can send spam or just a dummy mail message via this mail server to one of a number of sites which keeps a blackhole list. The blackhole list site then puts the mail server on the list, which disrupts mail sent from the mail server to all destinations which subscribe to that list. http://www.orbz.org is one such blackhole list site. http://www.mail-abuse.org is another. A short time ago, I had a similar problem. In my case, someone attacked my ISP, BigPond, causing my mail server to be listed at http://www.mail-abuse.org This stopped all my mail to the DRI-user mailing list, hosted on SourceForge, because SourceForge susbscribes to the mail-abuse.org list. The amazing thing about this particular attack is that most comments I have seen paint the admin of the mail server as the perpetrator and not the victim. Sure, the admin needs to lock down the mail server. But the admin and the ISP are being belted by both the spammers and the anti-spam groups. And the ISP's customers are denied service. In Thomas' case, I just checked at http://www.orbz.org and found: ORBZ Database Information IP: 202.58.118.7 State: clean Listed in inputs: no Listed in outputs: no (What's the difference between inputs and outputs?) Last Test: 2001-08-20 19:45:10 Last Test Result: no probes received back --------------------------------------------------------- ========================================================= Direct DNS Lookups inputs.orbz.org: clean outputs.orbz.org: clean or.orbl.org: clean relays.ordb.org: clean orbs.dorkslayers.com: clean dev.null.dk: clean relays.osirusoft.com: clean So, the mail server 202.58.118.7 is clean. Yet Thomas received:
: Connected to 204.177.184.15 but sender was rejected. Remote host said: 550 5.7.1 Mail from 202.58.118.7 refused by blackhole site inputs.orbz.org
To me, this means that iserv.net has somehow incorrectly listed 202.58.118.7 as a blackholed server. The answer in this case could be to contact the admin of iserv.net with all of the information above and ask for 202.58.118.7 to be no longer treated as a blackholed mail server, since inputs.orbz.org actually lists it as clean. For more discussion on this topic, see http://www.kuro5hin.org/story/2001/8/23/1978/40794 Best regards
From: Anders Johansson
Date: Mon, 3 Sep 2001 01:00:55 +0200 On Monday 03 September 2001 00.55, Christian Klippel wrote: hi thomas,
the message you got from the mailserver means that the ip 202.58.118.7 is blocked by some mta's because it is listed in a blackhole list as a spam site. Who did that? Redhat or Microsoft? That's suse's list server! :)