Hackers Blamed For MessageLabs Spam Blunder

littlekorea writes "MessageLabs claims to have discovered that the systems of one of its customers were hacked by spammers after an entire block of MessageLabs IP addresses was blocked by antispam service SORBS. Customers of the managed email service had problems with outbound mail last week after MessageLabs' IP addresses were included in SORBS' block list. The Symantec-owned service provider has assured customers it has systems in place to prevent such incidents from happening again."

Please don't use SORBS blocklist

Sorbs is a really poor block list which I don't think anyone should use.

I found that my mail server is listed in their list, because 3 years ago the same IP range was allocated to a dynamic IP range.

Even though it is now a static server address and the whois IP allocation records were long ago updated, and even has the reverse dns saying "static" in the format that sorbs demand, because the ENTIRE /24 network where my server lives doesn't confirm to their demanded reverse DNS standard, they refuse to delist it.

Their web service is a total nightmare and even their auto responder takes two weeks. As someone who has been working with mail servers on the internet since 1992, I would say please for the love of god, do not use sorbs as an email blocking list.

Check out Wikipedia for more info on them, they also solicit payments for some delisting which seems completely unethical.

This all sounds backwards

[camperslo]

Doesn't it seem much more likely that the hack is what lead to the spam being sent, THEN the site got blocked as a result?

Re:This all sounds backwards

[IBBoard]

I think that's just bad phrasing. My reading is that they only found out that the customer had been "hacked" because they were blacklisting (i.e. 'hacking' occurred, blacklisting occurred, awareness of blacklisting occurred, and finally awareness of 'hacking' occurred).

Re:This all sounds backwards

[JeffSh]

Knowing how Messagelabs works myself, just to refine it, it probably went something like this.

Emailserver1 is setup to relay outbound through Messagelabs all of the email.
Emailserver1 is compromised and used as a mail relay itself
Messagelabs receives spam generated by Emailserver1 and because all outbound email is filtered, they recognize it after a few hundred pieces of mail and begin to throttle/stop connections from the server
A few pieces of the hundred are delivered to destination recipients
SORBS places the entire Messagelabs /24 on their lame block list in response and because they suck as a service take forever to remediate bad blocks

The answer to all this is Messagelabs IP ranges should never end up on SORBS' list because of what they are, an output pool for tens of thousands of people which is maintained by a company with a repuation. The fact SORBS feels it within their power to blacklist Messagelabs IP ranges shows how much power they feel that they have, power derived merely from the fact that some people use them.

This should prove to people who use SORBS why not to use them. It's SORBS fault, not Messagelabs. The whole idea of a list like SORBS is to be a well maintained list of "bad ip's". If they add Messagelabs' /24's to their list, this proves it is not well maintained. The act of sending a small number of spam emails is inherently unpreventable almost by definition, and ML has the infrastructure in place to protect against 99.9999% of it.

anon

Having been caught in exactly this situation between these two companies before left me with a very bitter taste in my mouth towards SORBS
SORBS "require" a "donation" ( to a charity ) to get delisted.
Type SORBS and charity onto google and have a peek at what comes back.......
On the SORBS site ( I don't remember exactly where, but I do remember reading it last time I went through this crap ) they say that ( me paraphrasing ) they are probably not allowed to charge a fee for delisting for legal reasons, so the "require" a "donation" instead. Ohh yeah you can choose a SORBS approved charity and jump through hoops to prove your donation OR rather conveniently they have a charity that you can donate to which will place less hoops in your way. Which one you gonna choose considering people are yelling at you that their mail aint getting through?
Do a bit of googling and there are reports of people blacklisted by SORBS being asked to buy hardware for SORBS as the "donation" to get unlisted.
See much info on the SORBS site on what measures they take to prevent and deal with false positives? No? Well that's probably because when they are charging for delisting it's in their intererests to generate as much paying custom as possible.
Seems like a form of extortion to me........

Re:Please don't use SORBS blocklist

[arivanov]

Seconded. I tried using them a few years back and balked at the appalling quality of the data.

In any case, using greylisting, some basic header sanity checking and spamhaus kills 99%+ of the spam so there is really no technical need to use such an aggressive list.

Please don't use ANY blacklist

In addition to the complaints specific to SORBS, here's what the acme.com owner (who, more than half a decade ago, received an the order of a million spam mails per day) has to say about DNS-RBLs in his write-up on how to efficiently and effectively filter spam:

DNS-RBLs - Domain Name System Realtime Black Lists. In theory the idea is fine. You have a set of sites that you blacklist, and you want to let other folks use the same list so you distribute it using DNS, which is a nice efficient de-centralized database. What's not to like?

Well, I don't know why, but in practice every single DNS-RBL eventually comes under the control of power-hungry weenies. They start listing sites unreliably, and if you complain you find yourself listed. And there's usually no way to get off the list.

A lot of people tell me I'm wrong about this. They say that certain DNS-RBLs are ok, with objective criteria for inclusion and simple procedures for getting off the list. The thing is, they give conflicting recommendations for which lists are good and which are bad. Some of these folks recommend lists which I know from personal experience are bad.

This problem is really inherent in the way DNS-RBLs are set up. You cede control of your mail system to a third party, with no real possibility of checking how they are doing. The people running the lists get overwhelmed with bogus feedback from spammers and/or idiots, to the point where they assume all their mail about the lists is from spammers and/or idiots.

If the lists you use have not yet descended into corruption and chaos, consider yourself temporarily lucky.

Do not use DNS-RBLs.

As you can see, he addresses the specific problems with SORBS ("in practice every single DNS-RBL eventually comes under the control of power-hungry weenies. They start listing sites unreliably, and if you complain you find yourself listed. And there's usually no way to get off the list"), gives a reason for why this is ("the people running the lists get overwhelmed with bogus feedback from spammers and/or idiots, to the point where they assume all their mail about the lists is from spammers and/or idiots"), draws his conclusions ("this problem is really inherent in the way DNS-RBLs are set up. You cede control of your mail system to a third party, with no real possibility of checking how they are doing") and arrives at a recommendation ("do not use DNS-RBLs").

Re:Please don't use ANY blacklist

[McD]

and arrives at a recommendation ("do not use DNS-RBLs").

This entire analysis is spot on, but the reason blacklists are so popular is that they tend to work - you use one, the spam goes down, your users are happy. (Right up to the point where they discover a false positive that the RBL is blocking them from getting, anyway.)

In light of that, "do not use DNS-RBLs" is kind of throwing the baby out with the bathwater. The obvious middle ground, of course, is "don't use DNS-RBLs to make a binary accept/reject decision." Instead, use them as a weighted input to an overall spam score, such as is done by SpamAssassin or policyd-weight.

But then, that's generally more work. :-)

extortion by SORBS

[lechiffre5555]

Having been caught in exactly this situation between these two companies before left me with a very bitter taste in my mouth towards SORBS SORBS "require" a "donation" ( to a charity ) to get delisted. Type SORBS and charity onto google and have a peek at what comes back....... On the SORBS site ( I don't remember exactly where, but I do remember reading it last time I went through this crap ) they say that ( me paraphrasing ) they are probably not allowed to charge a fee for delisting for legal reasons, so the "require" a "donation" instead. Ohh yeah you can choose a SORBS approved charity and jump through hoops to prove your donation OR rather conveniently they have a charity that you can donate to which will place less hoops in your way. Which one you gonna choose considering people are yelling at you that their mail aint getting through? Do a bit of googling and there are reports of people blacklisted by SORBS being asked to buy hardware for SORBS as the "donation" to get unlisted. See much info on the SORBS site on what measures they take to prevent and deal with false positives? No? Well that's probably because when they are charging for delisting it's in their intererests to generate as much paying custom as possible. Seems like a form of extortion to me.......

Re:extortion by SORBS

[memyselfandeye]

Similar nightmare for a project website started awhile back. We registered with the host, a VERY BIG host I'll add, and suddenly found our assigned IP addresses were all blocked. SORBS said it was the provider's fault, they gleefully hosted spam sites so must be punished. It would sure be nice to have group related e-mail for organizational purposes. Unless our host paid to play, it was game over. No big deal, we moved to an even BIGGER, more expensive, host (currently a publicly traded company with some big 'cloud' options) and yet again found our new IP addresses blocked, oddly though, only after our domain was updated with the new DNS addresses.

It boggled the mind how a brand new, never registered previously before domain for a research project related to a small scientific group studying x-ray deep surface x-ray diffraction could be the root cause of a huge criminal enterprise. One might think SORBS took offense to a previous email relaying certain concerns and blocked the domain out of spite. Fortunately when we relayed those fears SORBS corrected us, and proved with some very convincing records that 2 chemists and a physicist were really responsible for the downfall of humanity, and all it would take is a donation to their legal fund. (Oppenheimer eat your heart out).

The advantage of toiling for a university day and night is access to a rather sophisticated legal department that loves crushing tiny people like Kevin SORBOS playing Hercules. Needless to say, the SORBS legal defense fund suddenly looked like it was going to get a real workout, and magically, an error was found and corrected. We were unblocked.

Let me say it one more time...Nightmere.