Slashdot Mirror
SORBS - Is There a Better Spam Blacklist?
rootnl asks: "Recently I decided to upgrade my email server with better spam detection and decided to use the SORBS blacklist. It is a very aggressive blacklist and could be deemed quite effective. However, I discovered two totally legal servers currently being blocked by their Spam 'o Matic service: a Google Gmail server (64.233.182.185), and another server belonging to an ISP called Orange (193.252.22.249). Now, normally one would think these providers would probably get themselves de-listed, but the process provided revolves around donating money. As I just happen to have a friend that is using the said ISP, I have to seriously reconsider using SORBS. What is your experience with SORBS? If you have alternatives, what would you suggest as a better blacklist service?"
This
-EL
But avoid SPEWS like the plague. They have a wonderful policy of blacklisting entire 16-bit IP ranges because one machine in an enormous server park has been used to send spam.
They know this causes massive collateral damage to machines administrated by totally independent companies, many of them small and liable to suffer severe hardship because of this arbitrary action. That's precisely the idea: they keep hurting non-spammers to make them lobby the server parks to deal with the spammers.
Unless you think that kidnapping children and refusing to return them unless their parents fight the mafia for you is an ethical law-enforcement policy, SPEWS is obviously far far worse than the problem they are allegedly attempting to solve.
Virtually serving coffee
is that you not use SPEWS. Oh the pain that "list" causes me.
"You're awefully cute, but unfortunately for you, you're made of meat."
...use RBLs at SMTP-Level without any kind of scoring algorithm (only block when $x out of $y RBLs have the IP listed) unless you don't care about your mails. There have been major fuckups with single RBLs in the past and there will be such in the future. Especially with SORBS. See http://www.google.com/search?q=sorbs+sucks.
I thought that'd be common knowledge by now, but apparently I'm mistaken.
SURBL is a URL blacklist.
Employing it enables your spam software to block emails that have matching blocked urls in the message body.
I have not gotten any false positives with it and it blocks a ton of nasty phishing stuff in addition to the usual SpermaMAXX crap.
All the blacklists I know have a tendency to block entire ISPs rather than just the ranges known to generate spam, if they think the ISP isn't taking sufficient action against its spammers or spambot infected customers.
Blacklists and whitelists are useful, but I wouldn't use them as the sole indicator of whether or not an email is spam.
I'm sorry but SORBS should be shut down. The amount of time I myself and many colleagues have managed to get onto SOBS because we were classed as a dynamic IP range, despite having blocks of IP's and it's extremely hard to get off it. I understand blocking people with Open relay servers, but being in a dynamic range, which can mean IP's being assigned to you from your ISP is a joke. Everyone should be boycotting these guys, two of the large ISP's in Australia use these guys to filter out spam, and are being blocked by small business's and Education. I've never posted comments on Slashdot yet, but this is one I feel very strongly on, and SORBS should be avoided at all costs. If they deem you a Spammer, despite proving to them you are not, they still reserve the right to keep you on the list and completely screw over your business.
Orange is part of Wanadoo who are known to be both spam friendly and to host spamvertised web sites. So maybe listing Orange is not such a bad idea.
if you run a anti spam filter, it is your job to make sure your data is accurate.
but if you think your users would pressure some admin so they get back to you,
that is keeping mails hostage and not an acceptable practice.
if you do that, it is not part of the solution, it is part of the problem.
I prefer to use spam assassin and use a couple of RBLs with various weightings on each.
/dev/null)
I keep the weightings quite low since I find most of the RBLs too agressive - added to the bayes and other checks however it is quite good at pushing spam into the right destination (and for the very spammy thats
True this means I actually have to receive and process the mail rather than just arbitarily ignoring connections, but my mail server doesn't really get that much traffic as its only personal use.
$_="Slashdotter";$syn="OTT";s;..;;;sub _{print shift||$_};s!ash!Perl !;s=$syn=ack=i;tr+LLEd+BLAH+;_"Just Another ";_
They're currently allegedly trying to extort money from a UK ISP Freedom2Surf (sadly now part of the Pipex group).
By default SORBS apparently block all dynamic IP's. For some strange reason they've deemed that 8192 IP's that are actually in the F2S static range are dynamic because the reverse DNS includes the IP address.
I've heard that they want $50 per IP to unblock them. They wont even talk to users who have static IP address in that range to get the block lifted.
I am NaN
"from the blacklists-in-general-are-like-this dept."
That about sums it up.
Several reasons why:
Large netblocks will be repeatedly put onto one of their lists if they dont comply with the founder/main admin's idea of how reverse dns should be configured. They will list IP blocks that dont conform to an RFC that funnily enough, he wrote.
Getting in contact with them in any reasonable timeframe is damn near impossible in any timely manner.
Primary/Secondary SMTP servers of ISP's will often by listed as part of their blanket block approach.
They continually block whole IP ranges that are statically assigned, often automatically with seemingly no human oversight. There can be found many complaints on assorted web forums across the net, especially australian, full of people trying to figure out why they were listed on one of the sorbs lists, and how to be removed.
Almost all of the issues i have run into with SORBS dont seem to have anything to do with eliminating spam, more to do with pushing the founders RFC for reverse lookups. Comply, and you are free from hassle forever. Fail to comply, and face loosing SMTP access to any providers using SORBS for anythere from a day to over a week.
I have a fixed IP address provided by my ISP. I run my own servers and have done for nearly 10 years. My servers are not now, and have never been Open Relay. I have run every possible test to make sure that is the case. SORBS, in their infinite wisdom, deem my address to be dynamic because it is part of a permanently leased dynamic range, so they block me, and therefore I cannot send email to anyone using two of the major ISP's in Australia. I have emailed sorbs and asked them to check my server. No response. I have spoken to the Telecommunications Industry Ombudsman in Australia, who tell me they can't do anything, that I should talk to "The Australian Communications and Media Authority", but if you are to check the SORBS site it specifically mentions that "The Australian Communications and Media Authority" have no influence over them at all. I have threatened SORBS with legal action. No response. Basically, they don't care less that I can't send email to the majority of Australia's internet users, because I won't donate money to them.
If you visit their site their tag line says "Fighting spam by finding and listing Exploitable Servers." This really should read "Exploiting small businesses through a cash for delisting scam".
Oh, and I forgot to mention, I've been told that the two major Australian ISP's who use SORBS just happen to form part of the "group of companies as a private venture" that make up SORBS. Interesting huh?
We have used Surgemail and are extremely happy with the performance and with the spam/RFC compliance filtering.
check out http://www.surgemail.com/ it is platform independant. Works on Windows, Mac, *Nixes
Multi-RBL check
Type in a few of your favourite IP addresses. See which lists have fewest missess.
Using XXXX#XXXX@XXXXX.spamcop.net for statistical tracking.
Yum, this spam is fresh!
Message is 0 hours old
85.100.228.125 not listed in dnsbl.njabl.org
85.100.228.125 not listed in dnsbl.njabl.org
85.100.228.125 not listed in cbl.abuseat.org
85.100.228.125 listed in dnsbl.sorbs.net ( 127.0.0.10 )
85.100.228.125 not listed in relays.ordb.org.
85.100.228.125 not listed in accredit.habeas.com
85.100.228.125 not listed in plus.bondedsender.org
85.100.228.125 not listed in iadb.isipp.com
Possible open relay: 216.81.179.210
Yum, this spam is fresh!
Message is 0 hours old
216.81.179.210 not listed in relays.ordb.org.
Either you are for us or for the terrorists.
In my experience RBLs do their job fine. They are an easy way to stop spam and because of that a lot of people use them. Because of this "ease of use" people get mad when a RBL tags an innocent IP addy.
You have to realize this is a war. Much more than 50 percent of email is spam - we have to take drastic measures to provide a basic service - email. If you don't like the way the RBLs operate - use other methods to stop spam. There are plenty of other ways - they just require more attention on your part. Deal with it.
For a few years now, I'm using three RBL's to filter the incoming mails on our mail server, which hosts a few small-sized customers and some personal domains. The RBL's I use are: SpamHaus, SPEWS and SpamCop. We have set them up in sequence, so that a mail caught by one is not passed to the following anymore.
Looking at two days ...
... it shows the trend I've seen over this time: SpamHaus does a great job for me and we haven't received any complaints from the customers concerning people not able to contact them.
Given these (poor-man's statistics) it seems that SPEWS is of little use to us. SpamHaus catches most of the problems. Maybe even if we switched SPEWS' and SpamCop's order, we might see that the latter would be able to catch those mails now caught by the former. It's surely something we're going to try.
On the other hand, it might very well be that SPEWS would catch also all SPAM caught by SpamHaus. Reversing the current order might be a nice test before we come to any real conclusions on which RBL to drop ;-)
The (current) bottom line: For us, SPEWS isn't causing any problems, but also doesn't help us that much. SpamHaus seems to be a great RBL source and SpamCop seems to be a nice addition.
But it doesn't stop all SPAM.
Sorbs blacklists nearly all ISP relays which force their customers to send through them or do transparent SMTP proxying. On the positive side this means that you are not going to get those 1-2 per day annoying Spanish or Dutch lotto scams from orange/freeserve webmail. On the negative side this means that you are not going to get mails from small law abiding businesses like recruitment agencies and such. They also blacklist nearly all lesser webmails.
I tried it for 2 weeks around the time when SpamHaus future was in doubt in October and found it to have an unacceptable level of false positives.
I would suggest using all server level antispam possible - greylisting, autoblacklisting on spamtrap and top it up with SpamHaus. That leaves the annoying crap from l'Orange, but gives close to 0% false positives.
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
Orange is not just an ISP. It's a multinational mobile telecom company. http://en.wikipedia.org/wiki/Orange_SA. As far as I know, after they were bought by France Telecom, they moved many their servers to a unique class B adress space. Maybe that address you found is from the old ones, which is not used anymore for mail, so unblocking it doesn't interest them.
On the other hand, getting a blacklist like this, doesn't seem to solve your problem: getting less SPAM. Do you think spammers don't have enough money to get themselves out of blacklists? Do you think that every individual legit(not SPAM) business or server checks all, of the many, blacklists to see if he's on one of them? And if they do, how many will pay the fee to get themselves of that list?
sbl contains the spamhauses, xbl trojaned boxes/open proxies etc (you can of course also only use one of them). See http://www.spamhaus.org/xbl/index.lasso
Donate free food here
http://openrbl.org/client/t/zones.htm
I abosolutely HATE sorbs. We have roadrunner buisness class at work with a static IP. SORBS blocks our mail because according to thier "superior" knowledge our IP is dynamic. When I tried to get us delisted, I got an automated response that said basically This is an automated response, no human has read your request but we've denied your request to be delisted.
If I ever meet the guy who runs sorbs I believe I will punch him in the mouth.
Gadget News at Gizmo.com
I work at the abuse dept. of a large dutch ISP and we rely heavily on sorbs. When I started working there one of my collegues convinced us that there is no way you could be able to contact sorbs and I thought that to be true. We found out however that it is really not that hard to get in touch with them and if you follow their guidlines, you never have to pay for delisting. The paying part is mainly to scare of spammers delisting adresses they do not own. They use a smal set of totaly acceptable rules to delist adresses from their DUL list (if u use a mailserver on a dynamic adres, go get a static one. If you can't, you should be using your ISP's mailserver). Their rules:
1. Only the owner of the adress space may contact them, as listed in one of the five RIR databases (RIPE, ARIN etc). We always use abuse@isp.com, because this is a known adress in RIPE.
2. The IP adress must be known as static and have a PTR-record stating it is static (mail.domain.com is acceptable).
3. It must have a correct A-record.
4. The TTL in of the A-record must be 86400 sec.
If you contact them in the way they wish to be contacted (just read their website, it's not that hard), they will delist you in 24-48 hours. However, if you aren't the owner of the adress space or the simple rules are not followed, your request wil be ignored. Everyone who thinks they can't get through to sorbs just isn't reading their guidelines, it's that simple.
--- In a world without fences, who needs Gates.
Specialization is for insects. -Heinlein
and if you don't like that, you can kiss my ass.
There fussy, blacklist at will... my old hosting provider was trying to clear it's name with them, completely impossible despite the net-block being registered to them, then they mentioned lawyers and sorbs refused to do anything ever again if there were now lawyers involved...
So, yes SORBS is the worst.. it stops spam in the same kinda way that unpluging your modem stops spam.
SpamHaus is the only blacklist that I trust to do straight blocking on. We've been using them for years and have gotten a grand total of two complaints about blocked mail; in both cases the sender was on the XBL because their machine was compomised. Considering our active userbase is in the hundreds of thousands, I'd say that isn't bad at all. :)
We actively discourage people from using SORBS. Even if they were more accurate, their removal policy is extortion.
Any of the other blacklists out there I would recommend only as part of a scoring algorithm. Most are fairly cavalier about blocking entire netblocks even if the problem is isolated, most have no automatic aging of entries, many have poor delisting policies or are slow to respond and the false positive rates tend to vary from ok to abysmal (SpamCop, for example, doesn't seem to know the difference between a bounce message and a piece of spam... though to their credit they are fairly good about removals and provide a feedback loop so you at least know when they've tagged a message as spam).
With the advent of the spam bot networks, blacklists aren't as useful for spam fighting as they used to be. Greylisting + content analysis is currently the way to go; though Spamhaus still does a decent job, but not Spamcop due to their "unsolicited bounces" thing...
The problem with this argument is, as usual, collateral damage. While there may be a spammer using Wanadoo somewhere, there are also many legitimate users who will be caught in the blast radius.
Before anyone replies with the usual holier-than-thou "Well they should change their ISP then", please consider that this is not trivial for a lot of people. Moreover -- and here's the real kicker -- pretty much every ISP is "spam-friendly" because, as the recent spam wave has demonstrated all too clearly, pretty much every ISP has lots of compromised machines running on it, and those machines can be abused without the informed consent of either their owner or the ISP.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
I support the use of DNSRBLs (not by use alone, but it should augment a content-filtering system,) with the exception of SORBS. I have found it to be far too aggressive, more so than SPEWS. In fact, an ISP with which I partner wound up on SORBS, and during the removal process they discovered that a number of the recommended donation recipients will not accept the donations because of the myriad complaints over the process.
Ah, well.
At this point, very few people take SORBS seriously. They're inaccurately over-aggressive. If you use it for more than your personal email, you're begging for a lot of user complaints.
My own fun story is that they went on to my web site and subscribed their spamtraps to my opt-in email list. I didn't double-confirm, so I guess its my fault that they scammed me. SORBS then used the emails emitted from that single IP address to justify blocking 8,192 of my ISP's email addresses.
Every other RBL maintainer has found my list to be clean. The only non-SORBS problem I've had with an RBL was with Spamcop. That was immediately resolved when the only folks who responded to further inquiry apologized for reporting the list mail by mistake.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
That's a very shortsighted view. We had defamation laws for a reason, and that reason is that while sticks and stones will break your bones, words most certainly can hurt you as well. I don't see why the actions of SORBS -- which sound like a pretty obvious protection racket looking at the comments in this thread -- wouldn't lead to a very fast court case with a very negative result for the operators of SORBS.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
I'd highly reccomend using some aggressive URIBL filtering -- that way, if someone gets blocked, you can be certain /they/ are the person you wanted to block.
Jay | http://oldos.org
Sorry, but the defamation would be against your ISP, not yourself since it is their IP block that SORBS is blocking. And if you read SORBS website for what they say about their list, I don't think you are going to find that they have defamed you in any way. The major ISPs in Australia have chosen to use that list to lessen spam. Talk to them about not using SORBS, or get an IP for yourself from another ISP that isn't likely to get themselves listed on SORBS.
I'd say a little of column a, a little of column b.
I mean, sure, most of the blacklists say 'Hey, don't use this to reject mail completely!' They generally, however, go on to say '*wink wink* if you really want to, though, here's a config file snippet to drop into your mail config. *wink wink*.
Vintage computer games and RPG books available. Email me if you're interested.
The idea of identifying/tracking/blocking content/activity/people at the IP level was always a hack at best and has long since become a complete haphazard solution. Black Lists are a bad idea that's gone on to far. Instead of putting all of that energy into building, maintaining, and implementing those lists on networks, spend some time fixing it at an app protocol or content (auth) level. Yeah, initially a lot of legit mail won't get through - but that's true of black lists as well. I know there are a lot of reasons people still do this at an IP level, but why engage in a never ending battle using methods that you -know ahead of time- will -never- solve the problem?
My website has also been listed on spamcop, which IMHO is a very good spam filter. It will blacklist your site for x number of hours, then if no more complaints are received, it will automatically be delisted. A very good system.
See this wiki item: http://en.wikipedia.org/wiki/SORBS
"Some of the controversy arises from SORBS' policy of requiring a US$50 donation to the Joey McNicol Legal Defense Fund in order to get an IP de-listed from the spam database.[1] Because of this requirement, SORBS has often been compared to an extortion racket."
It would take a brave man to sue a blocking list. Or at least a man that has no desire ever to send an email ever again. If there's a single legal threat then there's a definite risk that every other blocking list in the world will block you.
The comment below is from Matt at SORBS: "http://www.dnswl.org/ might be what you're looking for. I fully support this project, particularly for people wanting to use SORBS and are concerned about major ISPs getting listed for smart hosting the *occasional* spam. Regards, Mat" I would say do the same thing. What really should happen is that SORBS should use this list, instead of making eveyone else do it. Currently if you get listed, there is a good chance you will never get off with out "paying", and I don't know many companies that could start that practice. Sherman
SORBS is run by a juvenile, unprofessional staff with an astoundingly arrogant attitude (that also can't spell, as shown below). Below is a response I received from "Joey" at SORBS. I have a Small Business Account at Yahoo (paying $11/month on separate servers), and was unable to send email a friend and business associate because his ISP used SORBS. Happy ending? He had his business use a different ISP...one that didn't use SORBS.
,Your provider yahoo shares this same IP address that is listed in SORBS with 1000's of other users including non paying spammers .
SORBS' methods aren't granular enough to prevent false positives (in fact, they are willing to block 1,000s of mail accounts to block one spammer), and in doing so their practices block legitimate mail, they have no reasonable resolution systems (other than ones that seem like extorting normal users to pay to unlock actual spammer's dynamic IP ranges that we happen to share), and they have rude customer service.
Would you really consider using a service like this? Forwarded message below the >>>
Run away!
Craig
>>>>
> How do I get my email off of your list? I am not a spammer. Your
> database
is what flagged me incorrectly. How do I correct it? I'm not trying to complain, just trying to fix it.
>
> Thanks,
> XXXX
>
Your email is not listed in SORBS
You have not been flagged incorrectly or at all .
As I said you will need to complain to yahoo if you aren't happy with the fact that their decission to share the service you are paying them to provide with spammers id causing you problems.
--
Joey ( SORBS Volunteer )
Western Australia.
If you reject email based on a blacklist, that's putting an awful amount of trust in the maintainers of the lists. Rejecting email based on a blacklist is always a dumb idea.
Blacklists do have a use, however. Use them with something like SpamAssassin. Rather than reject mail based on the list, just add points to the score.
"It ain't a war against drugs.it's a war against personal freedom" --Bill Hicks
How do you figure that out?!
If I'm in danger of successfully suing one company, do you think the other companies in the same industry are going to line up with signs saying "Sue us too!"?
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Truth is proof against defamation.
Somehow, we ended up listed on their dynamic/dial-up list. We were a medium sized business with a /27 subnet in the middle of a Class C amongst several other small businesses. We also had two /24's on two other networks.
To get de-listed you had to meet a couple requirements. You had to have an MX record as a hostname (pretty much the standard). You had to have a reverse DNS or PTR record for the address. I used their ticket logging system to send them a compelling argument, and the whole Class C was finally de-listed three weeks later.
dig -t mx ourdomain.com
ourdomain.com. 86400 IN MX 10 mail.ourdomain.com.
dig -x xxx.xxx.xxx.xxx
xxx.xxx.xxx.xxx.in-addr.arpa. 86400 IN PTR mail.ourdomain.com.
Even though we met their requirements for not being listed, somehow we and our network neighbors were listed. Another note, I believe they have a reverse priority queue. The more times you submit complaints to their ticket system, the longer it takes for you to be de-listed.
/^([Ss]ame [Bb]at (time, |channel.)){2}$/
Whatever you do, DO NOT USE BLARS he runs a pretty mean black list, so bad that he his website probably got pulled or he was forced to pull it
if you happen to be the mail admin i would suggest checking out mxtoolbox.com
If I'm in danger of successfully suing one company, do you think the other companies in the same industry are going to line up with signs saying "Sue us too!"?
Honestly? - YES. Or at least I consider it enough of a risk. I genuinely rate their fanaticism that highly. Oh, Not all of them and those that do will probably add a weaselly disclaimer of the sort that computer nerds think provide legal protection, or create a separate list that doesn't include me, but I wouldn't take the risk.
Try Nolisting. It's nifty.
Nolisting + Greylisting + content analysis = less spam.
I can highly recommend the Composite Block List (CBL), cbl.abuseat.org. They seem to have an extremely good handle on trojanned zombie/bot machines. I started using the CBL when the massive pump-and-dump stock spam runs started several months ago, and it's been very effective.
...
As an aside, if you're being flooded with the stock spams, implement a filter to silently drop mails with a message-ID containing "6c822ecf"
Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
I have threatened SORBS with legal action.
Well, there's your problem right there! Most people don't really like legal threats, and amongst the more fanatical anti-spammers, they're quite the source of amusment. I submit for your consideration the cart00ney.org blacklist, which is an RBL specifically for listing people that send legal threats to blacklist operators. I also suggest that you search Google Groups' archive of NANAE for 'Matthew Sullivan' and 'cart00ney', because I'm sure your threat got a good laugh out of everybody there. I'm sure that was your last resort after trying to do all the things a civil and reasonable person would and failing to see any results, but it was definitely not the wisest thing to do.
Blacklists are like closing the barn doors after the horses have escaped, it's a fundamentally flawed concept. By the time a spam source ends up on a blacklist any spammer worth its salt has already moved on. Combined with the tendency for false positives, it's a cure that's worse than the disease. A "smart" spam filter like SpamBayes is better, but it's not perfect either, and you'll have to keep it in training-- not so easy if you're trying to filter for a whole shop and not just your own personal email. At least a local algorithmic filter allows you to correct false positives more quickly than does a blacklist-- with a blacklist the only quick solution to a false positive problem is to stop using it.
Well, I have a number of servers on static IPs that SORBS think are dynamic.
I have tried telling the idiots that they are wrong, but to no avail.
It's really a problem that people trust such a bunch of retards, because it's hard for the administrators of the mail servers to know if important mail is being blocked, very hard for users to know and even more impossible for users to smack some sense into the the head of the fool who runs their mail server.
What I have done in stead of using the static and poorly administered black lists is to use a number of short term, spamtrap driven blacklists, sbl-xbl.spamhaus.org which is somewhat static, but seems to be well run along with greylisting.
With greylisting most spammers never try again and even if they do there is a good chance that they will fall into a spamtrap and be stopped by the RBL the next time around.
I used to use SORBS (that was before I figured out they were fucking around), ORDB (which ended up taking almost no hits) and a few other lists and with the new setup I have gone from getting 70 or more spams pr. day to less than one.
Ditch SORBS, they suck because they list much more than just dynamic addresses and refuse to fix their mistakes.
-- To dream a dream is grand, but to live it is divine. -- Leto ][
Thanx for all the advice.
In my current setup, my primary mail server is located in a data center where I have to pay for bandwidth, so using a blacklist does help reducing the traffic and server load as the mail does not get much further than the initial control. However this require a blacklist to be very accurate. I also have been playing with mx priority and fallback methods using a second mail server in another data center. This way, when a mail is bounced, the second server will get picked up and the mail is processed only by a spamfilter (spamassasin). The first server I use a IMAP server as my priority mailbox and the second as a POP server which I check once a while.
I guess as some have mentioned, ip based blacklisting is not so effective anymore, it can do more damage than good if not maintained properly. After all, the blacklist providers(if I may call them that) are not the ones blocking the email, their users are. Maybe they should encourage people to use their blacklist in a spamfilter with a scoring algorithm rather than a blocking method in a smtp server (give better examples).
We are the people our parents warned us about.
But I can tell you, I got so mad at my hosting service when they went to SORBS, and didn't tell me. I switched, even though I still had 8 months to go and couldn't get a refund! And I checked with the service I went to first, to make sure they weren't going to use any of that bull crap SORBS.
Al Lowe Nope, not the guy who came up with Leisure Suit Larry.
SORBS claim they list dynamic addresses, but they clearly don't and they don't care about fixing the problem.
-- To dream a dream is grand, but to live it is divine. -- Leto ][
91 Relay access denied
135 http://www.spamhaus.org/SBL/sbl.lasso?
2306 http://www.spamcop.net/bl.shtml?
4364 greylist expired 6007 Sender address rejected
41144 Helo command rejected
117479 Recipient address rejected
As you can see, the most common hit is trawling for valid names. Second most common hit is people claiming to be the domain they're sending to. we've got postfix set to say 'F off' to any machine that lies in HELO, fails to use a FQDN or a ton of other mistakes.
After that, we've got the 400 series errors of cannot lookup sender addresses, followed by greylisting expirations, and finally, the two RBLs actually used on this machine, and finally open relay probes.
What's not listed is the multiplicitive effect of HELO and greylisting blocking, and that's pretty hard to determine. Someone will have to honeypot that one to get some numbers, but a HELO block stops a host from sending ANY spam to you. How many mailadmins out there see their (decently populated) servers only get a single email when a spamrun is in progress? Exactly. Same with greylisting. Spammers consider any error a permenant fail (for that run) because it's more time-efficient to just go on to the next email then to keep a retry queue. Since they never try to send the same email again, they never get through the greylist (since it's based on host:sender:recipient) tuples.
On my personal server, I don't even use RBLs anymore, they are too prone to false-positives for the tiny amount of spam they do catch. And politically, while vengance and retribution seems like a cunning plan, in reality the only people who ever suffer are the collateral damage. Deep-pocket ISPs with 2-3 year downstream contracts and painful early termination clauses keep a lot of collateral damage from being able to vote with their wallet. Plus, thanks to ARIN's inability to move forward with IPv6 in a reasonable fashion, or give portable netblocks to people, moving is exceptionally painful for basically everyone except the largest players (who are not generally colatteral damage). The big losers here are the joejob victims who get blacklisted, small businesses who lose contracts due to having their email blocked, medium buisnesses and small ISPs who have to play whack-a-mole on customer servers trying to find the exploit-of-the-week that allows formmail/mail relay/postmaster bounce spam. The winners are big fat companies like MCI, since they get spammer buisness, and lock their non-spamming customers into contracts that don't let them move when their service is impaired. (Nobody considers being on a blacklist grounds for early termination, or even downtime. OBVIOUSLY you did something wrong to get on it.) And of course, dedicated mail-hosts who are the last resort when you're locked into listed netblocks.
Of the winners and losers, who do you see posting to NANAE? What sides do they take on the RBL issue? Isn't it interesting to follow the money?
If you have a problem with SORBS-RBL'ed mail being blocked, it's your configuration that's a problem not SORBS.
GMail is "blocked"? No, somebody once sent mail through GMail that was spam and SORBS reports it as such.
The same goes for Yahoo, all the major ISP's, and more.
So, if you chose to block all mail that has been tagged by SORBS you obviously don't understand what SORBS does or didn't think it through very well. I admit to doing the latter myself.
What I would like to see is a lovely set of SpamAssassin rules that knows about SORBS and knows about all the major ISP's and adjusts scores appropriately. I tried Googling for such a thing myself and didn't come up with any. Pointers appreciated.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Shouldn't you be flooding NANAE or ranting about the 'SPEWS KOOKS' or something?
There are hundreds of DNSbls to choose from http://moensted.dk/spam/?addr= I suggest tagging till you find which closest meet your needs, then whitelist those you want messages from, in case their ISP is having abuse issues that get noticed by the DNSbls you use. Plenty of spam seems to be comming from IP 64.233.182.185 Atleast one other DNSbl has IP 64.233.182.185 currently listed. http://moensted.dk/spam/?addr=64.233.182.185 Plenty of spam seems to be comming from IP 93.252.22.249 also a few other DNSbls have IP 93.252.22.249 currently listed. http://moensted.dk/spam/?addr=93.252.22.249
Thanks for this info, it does shed some light into the why's. I assume you made a copy paste mistake with the second ip, should start with 193...The big question will always be whether Google were informed that one of their servers were abused, or they were just blatantly added to SORBS blacklist.
We are the people our parents warned us about.
What halfass ISP are you using that doesn't provide its customers with an SMTP forwarder for just this very purpose?
"Patriotism is your conviction that this country is superior to all other countries because you were born in it." -- GBS
What the heck has "open relay" got to do with it? The problem is that your space is listed as dynamic - this ISN'T a statement about your mail server or anything. Turning your mail server off does not affect a dyanmic IP listing, okay? Pay attention to the facts. RBLs are long past checking just open relays.
(Aside: I run a mail server. I don't care if you have run a perfect mail server, if you don't have a static IP address, I don't want email from you NO MATTER WHAT.)
There's no point in emailing SORBS to 'check your server' because it is nothing to do with your server. It's only your address we're talking about.
Right.
Secondly, it looks like you failed to talk to the one organisation that can actually help you. Your OWN ISP's helpdesk. See, like virtually all such blocklists, SORBS distrusts email from end users claiming that they have a static IP (as spammers are prone to making the same false claim.) The normal approach is to get your ISP's helpdesk to contact SORBS. This works a lot more reliably.
From one who knows, Google are very aware of the issue and are not doing anything about it... Even SpamCop has things to say about Google and Gmail hosts.
Not true any more, sadly. A /24 of Bytemark's network was put on spamhaus' main blacklist in August because we didn't respond to a phishing take-down notification within 12 hours, i.e. where one of our customers' servers had been compromised and was hosting a phishing site. I was told sharply that 12 hours was "more than enough time" to respond to such an abuse complaint - this was a complaint delivered at around 7pm which I responded to by noon the next day. And of course because spamhaus is widely trusted as a hand-edited list of career spammers, it caused hell for us for about a day. This seems to be a new and unadvertised policy - they are using their list as a blunt stick to fight network crime in general, and not just to warn you about spammers.
John Reid at spamhaus told me: When we see an exploited server on an unknown hosting company range, we fear that much off their network may be exploited as well. We err on the side of caution, especially when we see the site has been up for a longer-than-normal period
Make of that what you will! I think it's lazy policy-on-the-hoof that will make their list less trustworthy for mail filtering - the bottom line is that they blocked a host which was sending no email. Therefore none of their users would have seen any less spam as a result.
Matthew @ Bytemark Hosting
They blacklisted the entire block of IP addresses owned by SBC!
OK, let me clarify a few things here. When I first had the issue with my emails bouncing I went through the normal processes. I contacted my ISP (whose network is ironically part of the network owned by the large Australian ISP who was bouncing my emails) and told them about the matter. They told me that my IP address is part of the range they allocate to clients requiring static IP's and that as long as I maintain the account I have the LEASE on that IP address - in other words, I don't own it, I LEASE it - just like someone would lease a vehicle. I thought "fair enough - for all intents and purposes the IP is mine" - just like if I lease a vehicle it is mine for all intents and purposes. So then I went to the large Australian ISP who was using the SUCKS list - the ones who were bouncing my emails - and complained that my IP was fixed and bla bla bla. Basically they told me to take a running leap - that THEY weren't blocking my emails it was the SUCKS list that they were using that had my IP listed that was causing the issue so I should take it up with my ISP and the SUCKS people. Hmmm, OK, I've spoken to my ISP and am happy enough with their explanation, so lets try the SUCKS people. So I tried their contact form - which basically spat me out as soon as I entered my IP. So I did a whois on their IP and send a nice email to their tech contact requesting that someone contact me about the issue. Nothing. So I sent another email from another account that doesn't go out via my server to make sure they got it. Nothing. It was at this point - totally frustrated that nobody could give a rats %$@# that I couldn't send email that I contact the Telecommunication Industry Ombudsman, who told me I needed to speak with "The Australian Communications and Media Authority". I recalled seeing something on the SUCKS site so went and checked and sure enough they specifically say that "The Australian Communications and Media Authority" have no authority over them. Another dead end. So I sent another nice email indicating that I REALLY needed to speak to someone who could sort this out for me. Nothing. Finally, totally frustrated that I could get no response, I sent a not-so-nice email telling them that I was investigating my legal rights, and to this day I have still not had one reply from them.
Now the real kicker to this is that I have been told that the large Australian ISP who I originally had issues with is one of the "group of companies as a private venture" (from the SUCKS site) that makes up SUCKS. But what is even worse is that if you whois my IP, it belongs to that same ISP!!! So basically they are blocking one of their own IP's. Oh, I also forgot to mention that the only solution offered by that large ISP when I first contacted them was to lease a "real IP" address from THEM for some ridiculous amount of money. And this is legal how???
Firstly ask the both isps in writing (on paper) to whitelist you as they are using a rbl which has known errors in it.
If they fail to whitelist you then sue the isp for "restraint of trade" or similar. Their choice of rbl is causing
you material harm which is a legitimate grievance.
You chose to use one or more of the SORBS.net RBLs for blocking (presumably without testing first), and then you were disappointed because you didn't get the results you expected? If you truly understood SORBS.net's criteria, and the purpose of RBLs in the first place, then there clearly would be no need to complain.
Responsible mail server operators often do the following prior to implementing any RBL in a blocking fashion:
- Understand the listing criteria (anyone who doesn't do this is definitely a gambler)
- Test it in tagged mode (this decision is subjective, but strongly recommended for those who aren't familiar with DNSBLs or spam fighting in general) and inspect the results periodically to verify accuracy
The reason this testing needs to be performed is that every mail server deals with different eMail traffic patterns (in part due to serving different users/purposes/etc.), and what works well in one environment could be a complete disaster in another.
One must also realize that it's not the fault of the DNSBL operator if legitimate eMail gets blocked (assuming that the criteria is being enforced without exceptions, as has always been the case with SORBS.net as far as I know), rather it's the fault of the spammer and the provider that doesn't terminate spammer accounts (I certainly don't want to receive eMail from ISPs that harbour spammers, and that's my absolutely undeniable right).
If you find that a DNSBL isn't working for you, two options that come to mind are to either combine it with a whitelist (it's entirely up to you to make exceptions to rules on your own systems) or stop using it entirely. In my experience, DNSBL operators typically don't care if you don't use their services, and often discourage relying on their databases anyway -- they're merely providing the listing service for free in the hopes that it will help to make the internet better for everyone, which is a noble attitude worthy of much respect.
I use almost a dozen DNSBLs on all my servers, and the logs consistently indicate a rejection rate of over ~95%. Users are pleased because they get a lot less spam through our systems than they do from most others. Occasionally there is a question about someone's eMail getting blocked, and we handle these on a case-by-case basis (sometimes we refuse to whitelist an ISP, typically because of their attitude or history, but this is rare because most of the time they're willing to terminate spammers to get {and remain} de-listed).
An important part of using a DNSBL is to require those who are blocked to clean up their act. It's a social responsibility that all mail server administrators have, and it's so easy to encourage clean-up on the other end simply because they're the ones who have to take the appropriate steps to get de-listed (there's no need for whitelisting if they actually do get rid of the spam problem on their end, after all). And if they just whine about their upstream provider not fixing it, then that's still their problem (they can always take their business somewhere else -- this is a very compelling way to find out how seriously the take the spam problem, since supporting a spam-friendly upstream provider is approximately as bad as harbouring spammers directly).
The Lumber Cartel, local 42 (Canadian branch)
British Columbia, Canada
Just how do you want to contact them given they DO know you are just a goddam spammer?
My parser is a grammar nazi.
Re: Plenty of spam seems to be coming from those IPs {Seems I was auto edited? (does not like the less than & greater than brackets)} Check these links, http://groups.google.com/groups?as_q=&as_epq=64.23 3.182.185&as_ugroup=news.admin.net-abuse.*&scoring =d
http://tinyurl.com/yn2ghp http://snipurl.com/16uf2
http://moensted.dk/spam/?addr=64.233.182.185
http://groups.google.com/groups?as_q=&as_epq=193.2 52.22.249&as_ugroup=news.admin.net-abuse.*&scoring =d
http://tinyurl.com/yfglt2 http://snipurl.com/16ufd
http://moensted.dk/spam/?addr=193.252.22.249
Re: The big question will always be whether Google were
informed that one of their servers were abused, or they
were just blatantly added to SORBS blacklist.
Likely both.
I have been privy to some google / gmail mail server admin
correspondence, they have been working on improving their
outbound filtering (for the last 2 years?) and seem to have
made a dent, but by no means have they stopped emitting spam.
I suspect most DNSbls that use spam traps, don't bother telling
the ISP about the abuse _before_ listing the IP, as by the time
the ISP's abuse desk gets around to reading & acting on the
e-mail, the spam run to thousands? millions? has already completed.
(Most using DNSbls as part of their spam control, are hoping
the DNSbl sees the spam before it gets to their server.)
...SPEWS and other blacklists don't force anyone to use them. If you're having trouble with a block, it's because someone's ISP has decided that using SPEWS blacklists works for them. It makes commercial sense...
...when you joined your ISP. If they adhere to them, you can't complain. If they don't, you can. End of story.