Slashdot Mirror
SORBS - Is There a Better Spam Blacklist?
rootnl asks: "Recently I decided to upgrade my email server with better spam detection and decided to use the SORBS blacklist. It is a very aggressive blacklist and could be deemed quite effective. However, I discovered two totally legal servers currently being blocked by their Spam 'o Matic service: a Google Gmail server (64.233.182.185), and another server belonging to an ISP called Orange (193.252.22.249). Now, normally one would think these providers would probably get themselves de-listed, but the process provided revolves around donating money. As I just happen to have a friend that is using the said ISP, I have to seriously reconsider using SORBS. What is your experience with SORBS? If you have alternatives, what would you suggest as a better blacklist service?"
But avoid SPEWS like the plague. They have a wonderful policy of blacklisting entire 16-bit IP ranges because one machine in an enormous server park has been used to send spam.
They know this causes massive collateral damage to machines administrated by totally independent companies, many of them small and liable to suffer severe hardship because of this arbitrary action. That's precisely the idea: they keep hurting non-spammers to make them lobby the server parks to deal with the spammers.
Unless you think that kidnapping children and refusing to return them unless their parents fight the mafia for you is an ethical law-enforcement policy, SPEWS is obviously far far worse than the problem they are allegedly attempting to solve.
Virtually serving coffee
SURBL is a URL blacklist.
Employing it enables your spam software to block emails that have matching blocked urls in the message body.
I have not gotten any false positives with it and it blocks a ton of nasty phishing stuff in addition to the usual SpermaMAXX crap.
All the blacklists I know have a tendency to block entire ISPs rather than just the ranges known to generate spam, if they think the ISP isn't taking sufficient action against its spammers or spambot infected customers.
Blacklists and whitelists are useful, but I wouldn't use them as the sole indicator of whether or not an email is spam.
I'm sorry but SORBS should be shut down. The amount of time I myself and many colleagues have managed to get onto SOBS because we were classed as a dynamic IP range, despite having blocks of IP's and it's extremely hard to get off it. I understand blocking people with Open relay servers, but being in a dynamic range, which can mean IP's being assigned to you from your ISP is a joke. Everyone should be boycotting these guys, two of the large ISP's in Australia use these guys to filter out spam, and are being blocked by small business's and Education. I've never posted comments on Slashdot yet, but this is one I feel very strongly on, and SORBS should be avoided at all costs. If they deem you a Spammer, despite proving to them you are not, they still reserve the right to keep you on the list and completely screw over your business.
Orange is part of Wanadoo who are known to be both spam friendly and to host spamvertised web sites. So maybe listing Orange is not such a bad idea.
if you run a anti spam filter, it is your job to make sure your data is accurate.
but if you think your users would pressure some admin so they get back to you,
that is keeping mails hostage and not an acceptable practice.
if you do that, it is not part of the solution, it is part of the problem.
I prefer to use spam assassin and use a couple of RBLs with various weightings on each.
/dev/null)
I keep the weightings quite low since I find most of the RBLs too agressive - added to the bayes and other checks however it is quite good at pushing spam into the right destination (and for the very spammy thats
True this means I actually have to receive and process the mail rather than just arbitarily ignoring connections, but my mail server doesn't really get that much traffic as its only personal use.
$_="Slashdotter";$syn="OTT";s;..;;;sub _{print shift||$_};s!ash!Perl !;s=$syn=ack=i;tr+LLEd+BLAH+;_"Just Another ";_
They're currently allegedly trying to extort money from a UK ISP Freedom2Surf (sadly now part of the Pipex group).
By default SORBS apparently block all dynamic IP's. For some strange reason they've deemed that 8192 IP's that are actually in the F2S static range are dynamic because the reverse DNS includes the IP address.
I've heard that they want $50 per IP to unblock them. They wont even talk to users who have static IP address in that range to get the block lifted.
I am NaN
Several reasons why:
Large netblocks will be repeatedly put onto one of their lists if they dont comply with the founder/main admin's idea of how reverse dns should be configured. They will list IP blocks that dont conform to an RFC that funnily enough, he wrote.
Getting in contact with them in any reasonable timeframe is damn near impossible in any timely manner.
Primary/Secondary SMTP servers of ISP's will often by listed as part of their blanket block approach.
They continually block whole IP ranges that are statically assigned, often automatically with seemingly no human oversight. There can be found many complaints on assorted web forums across the net, especially australian, full of people trying to figure out why they were listed on one of the sorbs lists, and how to be removed.
Almost all of the issues i have run into with SORBS dont seem to have anything to do with eliminating spam, more to do with pushing the founders RFC for reverse lookups. Comply, and you are free from hassle forever. Fail to comply, and face loosing SMTP access to any providers using SORBS for anythere from a day to over a week.
I have a fixed IP address provided by my ISP. I run my own servers and have done for nearly 10 years. My servers are not now, and have never been Open Relay. I have run every possible test to make sure that is the case. SORBS, in their infinite wisdom, deem my address to be dynamic because it is part of a permanently leased dynamic range, so they block me, and therefore I cannot send email to anyone using two of the major ISP's in Australia. I have emailed sorbs and asked them to check my server. No response. I have spoken to the Telecommunications Industry Ombudsman in Australia, who tell me they can't do anything, that I should talk to "The Australian Communications and Media Authority", but if you are to check the SORBS site it specifically mentions that "The Australian Communications and Media Authority" have no influence over them at all. I have threatened SORBS with legal action. No response. Basically, they don't care less that I can't send email to the majority of Australia's internet users, because I won't donate money to them.
If you visit their site their tag line says "Fighting spam by finding and listing Exploitable Servers." This really should read "Exploiting small businesses through a cash for delisting scam".
Oh, and I forgot to mention, I've been told that the two major Australian ISP's who use SORBS just happen to form part of the "group of companies as a private venture" that make up SORBS. Interesting huh?
For a few years now, I'm using three RBL's to filter the incoming mails on our mail server, which hosts a few small-sized customers and some personal domains. The RBL's I use are: SpamHaus, SPEWS and SpamCop. We have set them up in sequence, so that a mail caught by one is not passed to the following anymore.
Looking at two days ...
... it shows the trend I've seen over this time: SpamHaus does a great job for me and we haven't received any complaints from the customers concerning people not able to contact them.
Given these (poor-man's statistics) it seems that SPEWS is of little use to us. SpamHaus catches most of the problems. Maybe even if we switched SPEWS' and SpamCop's order, we might see that the latter would be able to catch those mails now caught by the former. It's surely something we're going to try.
On the other hand, it might very well be that SPEWS would catch also all SPAM caught by SpamHaus. Reversing the current order might be a nice test before we come to any real conclusions on which RBL to drop ;-)
The (current) bottom line: For us, SPEWS isn't causing any problems, but also doesn't help us that much. SpamHaus seems to be a great RBL source and SpamCop seems to be a nice addition.
But it doesn't stop all SPAM.
Orange is not just an ISP. It's a multinational mobile telecom company. http://en.wikipedia.org/wiki/Orange_SA. As far as I know, after they were bought by France Telecom, they moved many their servers to a unique class B adress space. Maybe that address you found is from the old ones, which is not used anymore for mail, so unblocking it doesn't interest them.
On the other hand, getting a blacklist like this, doesn't seem to solve your problem: getting less SPAM. Do you think spammers don't have enough money to get themselves out of blacklists? Do you think that every individual legit(not SPAM) business or server checks all, of the many, blacklists to see if he's on one of them? And if they do, how many will pay the fee to get themselves of that list?
sbl contains the spamhauses, xbl trojaned boxes/open proxies etc (you can of course also only use one of them). See http://www.spamhaus.org/xbl/index.lasso
Donate free food here
I work at the abuse dept. of a large dutch ISP and we rely heavily on sorbs. When I started working there one of my collegues convinced us that there is no way you could be able to contact sorbs and I thought that to be true. We found out however that it is really not that hard to get in touch with them and if you follow their guidlines, you never have to pay for delisting. The paying part is mainly to scare of spammers delisting adresses they do not own. They use a smal set of totaly acceptable rules to delist adresses from their DUL list (if u use a mailserver on a dynamic adres, go get a static one. If you can't, you should be using your ISP's mailserver). Their rules:
1. Only the owner of the adress space may contact them, as listed in one of the five RIR databases (RIPE, ARIN etc). We always use abuse@isp.com, because this is a known adress in RIPE.
2. The IP adress must be known as static and have a PTR-record stating it is static (mail.domain.com is acceptable).
3. It must have a correct A-record.
4. The TTL in of the A-record must be 86400 sec.
If you contact them in the way they wish to be contacted (just read their website, it's not that hard), they will delist you in 24-48 hours. However, if you aren't the owner of the adress space or the simple rules are not followed, your request wil be ignored. Everyone who thinks they can't get through to sorbs just isn't reading their guidelines, it's that simple.
--- In a world without fences, who needs Gates.
There are a large crowd of email maintainers who believe anonymous email is important for political reasons.
I think your right on the mark though with the pharmacy analogy. We were able to implement SMTP to ESMTP quite easily so it shows people can definitely implement changes in protocols.
I also vote with people who think black hole lists are pretty much useless these days because they swallow up so many innocent people/organizations.
It would be nice to have an open source barracuda ( http://www.barracudanetworks.com/ns/?L=en ) like box - these things really work well.
Specialization is for insects. -Heinlein
SpamHaus is the only blacklist that I trust to do straight blocking on. We've been using them for years and have gotten a grand total of two complaints about blocked mail; in both cases the sender was on the XBL because their machine was compomised. Considering our active userbase is in the hundreds of thousands, I'd say that isn't bad at all. :)
We actively discourage people from using SORBS. Even if they were more accurate, their removal policy is extortion.
Any of the other blacklists out there I would recommend only as part of a scoring algorithm. Most are fairly cavalier about blocking entire netblocks even if the problem is isolated, most have no automatic aging of entries, many have poor delisting policies or are slow to respond and the false positive rates tend to vary from ok to abysmal (SpamCop, for example, doesn't seem to know the difference between a bounce message and a piece of spam... though to their credit they are fairly good about removals and provide a feedback loop so you at least know when they've tagged a message as spam).
With the advent of the spam bot networks, blacklists aren't as useful for spam fighting as they used to be. Greylisting + content analysis is currently the way to go; though Spamhaus still does a decent job, but not Spamcop due to their "unsolicited bounces" thing...
The problem with this argument is, as usual, collateral damage. While there may be a spammer using Wanadoo somewhere, there are also many legitimate users who will be caught in the blast radius.
Before anyone replies with the usual holier-than-thou "Well they should change their ISP then", please consider that this is not trivial for a lot of people. Moreover -- and here's the real kicker -- pretty much every ISP is "spam-friendly" because, as the recent spam wave has demonstrated all too clearly, pretty much every ISP has lots of compromised machines running on it, and those machines can be abused without the informed consent of either their owner or the ISP.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
At this point, very few people take SORBS seriously. They're inaccurately over-aggressive. If you use it for more than your personal email, you're begging for a lot of user complaints.
My own fun story is that they went on to my web site and subscribed their spamtraps to my opt-in email list. I didn't double-confirm, so I guess its my fault that they scammed me. SORBS then used the emails emitted from that single IP address to justify blocking 8,192 of my ISP's email addresses.
Every other RBL maintainer has found my list to be clean. The only non-SORBS problem I've had with an RBL was with Spamcop. That was immediately resolved when the only folks who responded to further inquiry apologized for reporting the list mail by mistake.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
The idea of identifying/tracking/blocking content/activity/people at the IP level was always a hack at best and has long since become a complete haphazard solution. Black Lists are a bad idea that's gone on to far. Instead of putting all of that energy into building, maintaining, and implementing those lists on networks, spend some time fixing it at an app protocol or content (auth) level. Yeah, initially a lot of legit mail won't get through - but that's true of black lists as well. I know there are a lot of reasons people still do this at an IP level, but why engage in a never ending battle using methods that you -know ahead of time- will -never- solve the problem?
Well, I have a number of servers on static IPs that SORBS think are dynamic.
I have tried telling the idiots that they are wrong, but to no avail.
It's really a problem that people trust such a bunch of retards, because it's hard for the administrators of the mail servers to know if important mail is being blocked, very hard for users to know and even more impossible for users to smack some sense into the the head of the fool who runs their mail server.
What I have done in stead of using the static and poorly administered black lists is to use a number of short term, spamtrap driven blacklists, sbl-xbl.spamhaus.org which is somewhat static, but seems to be well run along with greylisting.
With greylisting most spammers never try again and even if they do there is a good chance that they will fall into a spamtrap and be stopped by the RBL the next time around.
I used to use SORBS (that was before I figured out they were fucking around), ORDB (which ended up taking almost no hits) and a few other lists and with the new setup I have gone from getting 70 or more spams pr. day to less than one.
Ditch SORBS, they suck because they list much more than just dynamic addresses and refuse to fix their mistakes.
-- To dream a dream is grand, but to live it is divine. -- Leto ][