North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: SORBS Insanity

  • From: Matthew Sullivan
  • Date: Thu Apr 15 08:33:37 2004

Jeff Kell wrote:


Jeremy Kister wrote:
[... giant snip ...]

We are a former user of SORBS. Our issue was not that of dynamic IPs, but rather their spamtrap listings. A few weeks ago, at least two of Comcast's legitimate mail servers was blacklisted. As Comcast has a majority of the cable service in our area, we have a lot of users that use Comcast as their ISP. Needless to say, listing several of Comcast's prominent mail servers caused our mailers to reject the mail with the SORBS bounce reply. We have since ceased using SORBS and cured the Comcast problem, as well as a couple of other unrelated (and previously unreported) problems.
I do recommend anyone using the complete DB to whitelist any major mailservers 'near' them. If you can't do this I recomend you use tagging and/or use 'safe.dnsbl.sorbs.net' which doesn't contain the spam DB, but does contain all other DBs.

But I have/had a considerable degree of respect for SORBS, and as part of our abuse department, I dutifully report all of our reported spam deliveries to SpamCop. When SpamCop does it's analysis and notes that the spam in question was listed in SORBS, I now cringe. It would have been blocked.

So currently I'm considering asking for partial zone transfers of some of their blocks (our mailer doesn't discriminate against the DNS return address being 127.0.0.x or 127.0.0.y, a hit is a hit) and omitting at least the 'spamtrap' portion (for the same reason we don't use SpamCop directly -- the knee-jerk false positives outweigh the real hits to upset a considerable portion of our user base).
safe.dnsbl.sorbs.net - available on all the public DNS servers and by using the zonefiles.

From the opposite standpoint in acting on spam that originates in our domain, everything to date has been a compromised machine and/or virus.
If SpamCop lists our registered mailers, I can at least respond from the abuse address that the problem has been corrected and there are no further interruptions in our mail service. I can only imagine the problems if you end up blacklisted by SORBS if their response time and effort is really this low for cleaning up their lists. While the big ISPs may not act immediately (or at all) on compromised hosts with trojan proxies, we do keep a tight lid on it (and block SMTP from end-users at egress, but that is another discussion).
You will note my post before Christmas about the up and coming whitelisting mechanism - I am still collecting details for people wanting to use it - unfortunately for a variety of reasons the whitelisting mechanism is still not ready to go public.

Yours

Matthew