North American Network Operators Group
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Re: SORBS Insanity
- From: Matthew Sullivan
- Date: Thu Apr 15 08:33:37 2004
Jeff Kell wrote:
Jeremy Kister wrote:
[... giant snip ...]
We are a former user of SORBS. Our issue was not that of dynamic IPs,
but rather their spamtrap listings. A few weeks ago, at least two of
Comcast's legitimate mail servers was blacklisted. As Comcast has a
majority of the cable service in our area, we have a lot of users that
use Comcast as their ISP. Needless to say, listing several of
Comcast's prominent mail servers caused our mailers to reject the mail
with the SORBS bounce reply. We have since ceased using SORBS and
cured the Comcast problem, as well as a couple of other unrelated (and
previously unreported) problems.
I do recommend anyone using the complete DB to whitelist any major
mailservers 'near' them. If you can't do this I recomend you use
tagging and/or use 'safe.dnsbl.sorbs.net' which doesn't contain the spam
DB, but does contain all other DBs.
But I have/had a considerable degree of respect for SORBS, and as part
of our abuse department, I dutifully report all of our reported spam
deliveries to SpamCop. When SpamCop does it's analysis and notes that
the spam in question was listed in SORBS, I now cringe. It would have
been blocked.
So currently I'm considering asking for partial zone transfers of some
of their blocks (our mailer doesn't discriminate against the DNS
return address being 127.0.0.x or 127.0.0.y, a hit is a hit) and
omitting at least the 'spamtrap' portion (for the same reason we don't
use SpamCop directly -- the knee-jerk false positives outweigh the
real hits to upset a considerable portion of our user base).
safe.dnsbl.sorbs.net - available on all the public DNS servers and by
using the zonefiles.
From the opposite standpoint in acting on spam that originates in our
domain, everything to date has been a compromised machine and/or virus.
If SpamCop lists our registered mailers, I can at least respond from
the abuse address that the problem has been corrected and there are no
further interruptions in our mail service. I can only imagine the
problems if you end up blacklisted by SORBS if their response time and
effort is really this low for cleaning up their lists. While the big
ISPs may not act immediately (or at all) on compromised hosts with
trojan proxies, we do keep a tight lid on it (and block SMTP from
end-users at egress, but that is another discussion).
You will note my post before Christmas about the up and coming
whitelisting mechanism - I am still collecting details for people
wanting to use it - unfortunately for a variety of reasons the
whitelisting mechanism is still not ready to go public.
Yours
Matthew
|