Whirlpool

I 'm working for France Telecom (French ISP) and SORBS blacklist blocks for the second time an important customer network : 83.206.0.0 To 83.206.128.255. The problem is that is without reason.

The reason is again the presence of generic reverse DNS naming : *.static-ip.oleane.fr.

we personalize the reverse entry only if our customers ask. This half class B is cut out and we assign range IP (8, 16 ... 255) for one specific customer by
inetnum !!!!
This information is official and everyone can verify it to the RIPE web : www.ripe.net !!!! it is the only true information.

Our customers (83.206.0.0/17) use mailserver and are blocked.

I have open several troubletickets on the SORBS WEBSITE without answer. I have send several mail to mathew, without reaction.

I don't understand how SORBS can have customer....an effective blacklist must answer the requests quickly because it penalizes its own customers....!

You can read the news in your web : www.nl.sorbs.net/news.shtml, and I am not anti-blacklist, I agree to be referred if it is justified (by too much abuse complaint) and we respect the organizations which act quickly when they make errors. This case about 83.206.128.0/17, is the second times, for the same unjustified reason !

Technical Support Team
Hlakkache

I've had this problem with Sorbs and I have emailed them many times without responce.

Mabye you could use the information in their WHOIS information to contact them. Is this allowed though?

The last time I dealt with them, it took over a week for a reply to the ticket, and about another week for it to be fixed.

hlakkache writes...

You can read the news in your web : www.nl.sorbs.net/news.shtml

Wanadoo NL have indicated that SORBS can no longer be hosted free of charge in their data center, which leaves SORBS without a server in Europe. To this end SORBS is evaluating options, but is likely to takeup paid hosting, and therefore is likely to need to start charging for Services (probably following the Spamhaus model). More on that later.

I think that is good news. If organisations have to start paying for the service, they might think twice about using it. If SORBS start being paid for their service, others might finally get some commercial leverage.

I have open several troubletickets on the SORBS WEBSITE without answer.

This is the only communication that Matthew will accept. Pity it isn't as responsive as it needs to be. Matthew visits Whirlpool from time to time too.

Thanks for your different reply....I would like to know only if other people are penalized by SORBS.

> This is the only communication that Matthew will accept

It's too bad that this BL depends only on one single person.

Answers to the requests should be a SORB's priority because it is the sign of quality for their customers.

@+°

H.

hlakkache writes...

It's too bad that this BL depends only on one single person.

Not sure if that is actually true, but seems a bit like it. Here is the quote from Matthew:

SORBS writes...

I do not take delisting calls over the phone. Use: www.au.sorbs.net/cgi-bin/support someone will get back to you.
forum-replies.cfm?t=431699#r13

Have you tried the above address for logging the problem? If so, let us know so we can all see how good or otherwise the support is.

Maybe you could try WHIMming him to point out that you haven't heard back from your support request, but he hasn't been on for 3 days.
forum-user.cfm?id=23330

OK, thanks, I have send mail to matthew, but it is the second times, first was without reply.

I have two problems : 32.000 @IP are blocked (because we are generic reverse DNS : static-ip.oleane.fr), but, SORBS block too our antivirus mail server (mutualized server, this server relay more 1000 customers)....and to go out SORBS ask 50 $ :) .... it's joke. I prefer SPAMCOP, it's more serious or AOL who use a reject of the second line received, it'is more logical.

@+°

H.

hlakkache writes...

and to go out SORBS ask 50 $

They've done this before. Matthew tried to justify it as a suitable response to lack of action on the part of the complainant. This was his excuse last time.

SORBS writes...

We did not 'get into trouble', and we will still refuse to delist WebCentral (and anyone else) unless they make a donation to charity if like last time they tell us that they will not stop their subscriber from spamming until after Monday "because there are no senior staff working on weekends" ....
forum-replies.cfm?t=431699&u=23330#r13

I'd like to hear his justification this time. Obviously you have done something wrong and are deserving of punishment. (ROFLMAO - knew I couldn't type that and keep a straight face.)

SORBS writes...

The SORBS database consists of a number of tables, only one requires a donation to a charity or good cause not connected to SORBS.
forum-replies.cfm?t=431699&u=23330#r17

I'm wondering what table this is as distinct from others and who SORBS think they are to determine if a ransom is payable (being a donation to an unrelated third party does not make it any less a ransom).

I believe that it is really necessary to create a backlist best practices : reactivity, authorized criteria, quality of treatment....

it is one of my waitings of ISP's metting as the MAAWG : www.maawg.org/home

...?...

Pay to go out does not seem a good practice....the extraction must rest on a technical fact : by example : go out if there are not new complaints since one week and define a max time to refresh BL database (dead-line). BL must be interactive and alive.

SORBS do not propose anything....my definition of SORBS => it is a blackhole....you return and you can't leave....:(

I give up the possibility of leaving IP addresses from France Telecom because we cannot accept a blackmail and because I do not want to give importance to this doubtful list.

Thanks for your differents answers....

@+°

H.

JunkCrusader writes...

Not sure if that is actually true, but seems a bit like it. Here is the quote from Matthew:

forum-replies.cfm?t=431699#r13


This is the rule because there is one of me, and 10-12 people monitoring the queues that the support system mails to.

Note: They are all volunteers, abuse them or demand things and it is likely you will get ignored. Further, there are some who cannot read and rather than log a ticket and wait they think they are a lot more important and keep logging tickets which keep getting merged into later tickets, and later tickets, and later tickets...

Maybe you could try WHIMming him to point out that you haven't heard back from your support request, but he hasn't been on for 3 days.

Not a reliable medium, and nothing that would result in a delisting - it must happen via a support ticket, though I will accept pointers to tickets where the requestor thinks they are being ignored.

Regards,

Mat

JunkCrusader writes...

hlakkache writes...
and to go out SORBS ask 50 $

They've done this before.

This sounds like extortion to me.

I've never had any major problems with SORBS, but it certainly makes me very nervous continuing with using them for mail servers I'm responsible for (supporting well over 1,000 domains).

JunkCrusader writes...

I'm wondering what table this is as distinct from others and who SORBS think they are to determine if a ransom is payable (being a donation to an unrelated third party does not make it any less a ransom).

it supposedly is the one fed directly from sorbs honeypot addresses, therefore to get listed on that one you have to deliberately send spam to a sorbs address that never could ask for it.

blocking an entire subnet, especially on statically assigned addresses seems like major overkill when you can just block the single address instead. if it was a dynamically assigned range then i could understand. perhaps sorbs cannot tell the difference?

actually just checked on the sorbs site and that range is not listed, nor has it been since sep 15th 2005, although it is listed as dynamic.

Netblock: 83.206.0.0/16 (83.206.0.0-83.206.255.255)
Record Created: Tue Sep 6 14:12:00 2005 GMT
Record Updated: Thu Sep 15 13:44:01 2005 GMT
Additional Information: This netblock was removed/delisted, future listings will supersede this entry.
Currently inactive and not flagged to be published in DNS.

hlakkache writes...

I have open several troubletickets on the SORBS WEBSITE without answer.

JunkCrusader writes...

Maybe you could try WHIMming him to point out that you haven't heard back from your support request

SORBS writes...

Not a reliable medium, and nothing that would result in a delisting - it must happen via a support ticket, though I will accept pointers to tickets where the requestor thinks they are being ignored.

Hmmm ... it seems in context that I was making the suggestion to someone who had already opened a support ticket and felt they were being ignored.

hlakkache writes (on 14-Dec-2005)...

SORBS blacklist blocks for the second time an important customer network : 83.206.0.0 To 83.206.128.255

Just out of curiosity, how long did it take to resolve this issue from when the first support ticket was raised.

SORBS writes...

This is the rule because there is one of me, and 10-12 people monitoring the queues that the support system mails to.

Note: They are all volunteers,

It would be interesting to know how many of the organisations that use SORBS really understand how SORBS is managed?

Matthew, from what I have read of your own posts and from what others have said about the impact of SORBS on their organisations (not just on Whirlpool), I wonder if you really have an understanding of the damage you are doing or can do to peoples financial livelihood. On the other hand, perhaps you do understand but don't care or, even worse, feel justified in wielding this much power. I'm really not sure.

I'm personally not a big fan of black lists due to the high potential for collateral damage. I'd prefer to let extra SPAM through than to block genuine mail. However, I also have to accept that black lists are becoming a way life on the internet. That being the case, I can only hope that reputable black list services can also provide quick and efficient dispute resolution processes to minimise the collateral damage.

It would appear that from a technical perspective, what SORBS does is very good. It would be a shame to see it all spoilt by inadequate management processes.

rhom writes...

actually just checked on the sorbs site and that range is not listed, nor has it been since sep 15th 2005, although it is listed as dynamic.

Thanks for the post, rhom.

Provided there aren't any privacy issues, it will be interesting to find out whether or not the OP's (hlakkache) problem was SORBS related and what the final resolution was.

JunkCrusader writes...

I wonder if you really have an understanding of the damage you are doing or can do to peoples financial livelihood.

actually the problem is not his, or any other DNSBL owner, it's the mail admins out there who blithely use them without thinking of the consequences. they use blacklists but don't whitelist, they configure their servers to drop connections from addresses that are blacklisted (which is against the RFCs) which removes all ability for those blacklisted to contact a 'postmaster' type address to find out what's wrong or to get whitelisted.

if the admins would just think for a minute and use the DNSBLs sensibly then you wouldn't see this sort of problem.

I'm personally not a big fan of black lists due to the high potential for collateral damage. I'd prefer to let extra SPAM through than to block genuine mail.

me neither, not for absolute blocking anyway, i have no problem with using them for tagging though, after which the user can decide.

It is funny to see :

Netblock: 83.206.0.0/16 (83.206.0.0-83.206.255.255)
Record Created: Tue Sep 6 14:12:00 2005 GMT
Record Updated: Thu Sep 15 13:44:01 2005 GMT

My first forum post was december 14 because my subnet was blocked and it was the second SORBS blocking action on the same range (/17).

On this log, I can read "Record Created: Tue Sep 6" ? France télécom range was restored some day and filter again during 9 days and restored ?

What I can say : I never have had response about different troubletickets....it isn't really normal. I'm working in France Télécom ABUSE technical team and I prefer work with spamcop.

I am (maybe) a little strong, but what I understand it's SORBS falsify
their logs !

I am really curious to see the SORBS database history of my range....

I'm aggree to confirm that Spam is actually a very big problem : zombies are the first reason....I prefer that consumers use antispam systems as Bayesian Filtering, but I can understand that some people, inefficient in the field of data processing prefer entrust this responsibility at a BL....

I want only that BL are really reactive and use logic filter rules, reverses dns generic name is not a good rule, particulary when there is "static" term in this name.

@+° thanks for your different reactions

Have a great day !

i am haveing trouble getting email out to my cliants to i have been running my own mail server now for close on 5 years

all of a sudden (last month) i start getting this from all over the place yet i still can use the biggest SPAM mail service there is HOTMAIL

This is an informative message sent by MailServer x.x.x at XXXXXXX.
The server was not able to deliver your mail message to the following addresses:

<XXXXXXX@softhome.net> (a.mx.softhome.net: 550 blocked: from <XXXXXX@XXXXXXXX.XXXXXX.XXXX>­ to <XXXXXXX@softhome.net> via [xxx.xxx.xxx.xxx] with dul.dnsbl.sorbs.net)

Reporting-MTA: dns; XXXXXXXX
Arrival-Date: Wed, 11 Jan 2006 14:46:35 +1000

Final-Recipient: rfc22;XXXXXXXX@softhome.net
Action: failed
Status: 5.1.1
Remote-MTA: a.mx.softhome.net
Diagnostic-Code: SMTP; 550 blocked: from <XXXXXX@XXXXXXX.XXXXXX.XXX> ­ to <XXXXXXXX@softhome.net> via [xxx.xxx.xxx.xxx] with dul.dnsbl.sorbs.net

the first time SORBS blocked me i sent in a report to be removed and then looked at my mail servers logs the next day and found i had been attacked by SORBS to stress test my mail server to see if it was a problem 3 days later i was up and running again

the funny thing is i still can recive emails from the sites protected by SORBS

Sounds like SORBS is a cowboy outfit, "charity donations to get unblocked" or not.

As for the poster SORBS, this must be the only post I've seen and my skin is still crawling..

Just wondering what this has to do with Bigpoo ?

racy writes...

Just wondering what this has to do with Bigpoo ?

90% of bigpoo's IP's have been blocked by SORBS

well i have just come from SORBS site and have been told my domain name is fine but bigpoos IP has been blocked as its a dynamic IP that is funny i have had the same IP for going on 2 years now that is realy dynamic

SORBS get your act together and make it so ppl with long tearm IP's can get them delisted

sorry for spelling i have a bad head could and carnt think well

Adverse Effects writes...

90% of bigpoo's IP's have been blocked by SORBS

Which probably doesn't matter, because probably 95% of BigPond's IP address should never be directly sending mail - for the average home consumer, it should be going through the BigPond mail server.

Now, how many BigPond customers with static IPs have their IP listed by SORBS would be a more relevant question.

Adverse Effects writes...

SORBS get your act together and make it so ppl with long tearm IP's can get them delisted

Whether or not it has been held for a long time is irrelevant. It is still dynamic, it could still change any time. BigPond may decide to change the IP range from which your address is allocated (has happened before). You may have a loss of power and fail to renew the IP address before it expires and someone else could end up with it.

If you are running a mail server on a dynamic IP address, you should be able to configure you mail server to send the mail via the Big Pond mail server, then your IP address being blacklisted won't matter.

I would suggest that 99.9% of the time that a dynamically allocated IP address is directly sending mail, we are talking about SPAM or viruses. Dynamic IPs are not intended for running servers. That doesn't mean you can't do it, just that others will assume you won't be and that you might have to work a little harder to make it work for you.

racy writes...

Just wondering what this has to do with Bigpoo ?

Well, the OP had a problem with sending mail to BigPond customers, so the relevance to a BigPond broadband forum is loose to start with. I think the relevance is diminishing.

Adverse Effects writes...

90% of bigpoo's IP's have been blocked by SORBS

Firstly SORBS doesn't block anything. Secondly I assume you're talking about their DUL BL, which as the site explicitly states, is a list of ISP's dynamic IP addresses.

Why wouldn't anyone set up a mailserver on a Dynamic IP address? The only legitiment reason I can see is hobbist experimenting. Most mail coming from Dynamic IP addresses is from spammers or compromised PC's. Most (large) businesses wouldn't expect legitiment emails from a mail server on dynamic IP address, I certainly don't, which is why I'm currently trialing SORBS DUL BL. When implemented I expect a 20-30% drop in spam & a 90% drop in virus emails. IMHO worth pissing off a few hobbist whom could/should send outbound emails via their ISP's email server.

I rather hate people with attitudes like yours actually. I completely disagree with the principles behind mail blocking based on sender IP and i will never ever do it. A sender's IP, or a netblock, tells you absolutely nothing about the content of the email coming in. If I were to impliment a block and then fail to recieve just one legitimate email, then I would consider it a complete failure.

There have also been times where I have had to use my own local mail server to send emails due to issues or misconfigurations with an ISP's mail server that have prevented me from sending email any other way.

Reminds me somewhat of a couple of overzealous server admins who drop all traffic from APNIC assigned addresses to prevent virus and zombie traffic from hitting their servers. Sure, many of the IP's in those ranges do malicious things, but not all of them.

King Chris writes...

I certainly don't, which is why I'm currently trialing SORBS DUL BL

Well good luck, you are going to need it. SORBS has repeatedly added several of my customers to their Dynamic list, and always is a real pain in the ass and slow to remove it. They don't even check their own bloody records FFS, or they would see that they keep on adding the same static blocks to the list, simply because the RDNS on some IP's is auto-generated.

Sorbs is a law to their own. I find that they block too many legitimate servers/ip/subnets that clearly shouldn't be. Using sorbs causes more problems than without it.

Stick to the well known ones such as spamhaus and spamcop.

kyelewis writes...

I completely disagree with the principles behind mail blocking based on sender IP and i will never ever do it. A sender's IP, or a netblock, tells you absolutely nothing about the content of the email coming in.

Not true my friend, mail coming from a mail server on a dynamic IP address tells you either you're dealing with someone who is clueless about mail servers (i.e. they should have a static IP address if they're sending or receiving directly), or most likely that it's unwanted email traffic (spam/virus/etc).

If I were to implement a block and then fail to receive just one legitimate email, then I would consider it a complete failure.

That's fair enough. but if 70% of your email was unwanted, especially when you're talking about 80,000/week, then you might adopt a different philosophy. Someone sending email from a mail server on a dynamic IP address is very unlikely to be business related. They should relay the outbound email via their ISP's mail server.

Reminds me somewhat of a couple of overzealous server admins who drop all traffic from APNIC assigned addresses to prevent virus and zombie traffic from hitting their servers. Sure, many of the IP's in those ranges do malicious things, but not all of them

I know it sounds harsh, but sometimes the volume of such traffic is humungus, and can call for drastic, usually temporary, measures.

Big C writes...

Well good luck,

Thanks it's working quite nicely at the moment.

SORBS has repeatedly added several of my customers to their Dynamic list, and always is a real pain in the ass and slow to remove it.

Who's your ISP (or IP address provider)?

King Chris writes...

Who's your ISP (or IP address provider)?

Various

and SORBS are flagging static IP addresses on various ISP's as dynamic? If you don't mind giving me a list, I would like to follow it up. As I said I'm trialing it at the moment, so any legitimate gripes I'd love to hear.

>and SORBS are flagging static IP addresses on various ISP's as dynamic?

My example was a good case....one /17 (32.000 IP) block by SORBS. it was the second time and the last during 2 month !!!!

This france Telecom subnet is UP since only some days (maybe since one week) and without answer from SORBS to explain the delay and the reason. SORBS use strange criterion to identify a dynamic IP as the generic reverse name without use and compare with the information of official databases => WHOIS DB (RIPE, APNIC, ARINE, AfriNiC)....and it is really stupid to block one subnet with the term "static" is contain in the generic name (83.206.1.2 => 2-1.206-83.static-ip.oleane.fr).

Today, if I check this range on the SORBS search module, there aren't history of this adventure....SORBS give only the 83.206.0.0/16 (Record Updated: Thu Sep 15 13:44:01 2005 GMT ) and don't list the half class B 83.206.0.0/17 (0-128). It is not really serious....

2 months to analyze one ticket who block 32.000 IP address....I know that several IP address of WANADOO France have been blocked by SORBS the last year and during several month....

BL could use a CODE OF CONDUCT to provide a really good filtering and work : reactivity, data coherence....

JunkCrusader writes...

Matthew, from what I have read of your own posts and from what others have said about the impact of SORBS on their organisations (not just on Whirlpool), I wonder if you really have an understanding of the damage you are doing or can do to peoples financial livelihood. On the other hand, perhaps you do understand but don't care or, even worse, feel justified in wielding this much power. I'm really not sure.


I very much understand how much damage the SORBS DNSbl can do which is why I only have 12 volunteers and not 200, I have to keep careful watch over all of the additions and deletions, and when mistakes happen (they still do) I have to investigate the cause and try to ensure they never happen again. With 11 million IPs listed for a variety of reasons with 20k+/day listings that is a serious full time job in itself.

As far as financial impact goes, those who have the largest voice (by far) in the public forums are those that pay the least (mostly pay nothing) for their email accounts/connectivity... and then wonder why they get no support from the ISP.

In reference to the Telstra listings later in this thread, Telstra submit dynamic/statics lists for new IP blocks they acquire. They also let us know when a formerly dynamic address is reassigned to static address customers. On one occasion previously Telstra submitted a change with a mistake, which had a dramatic effect.

Another example of issues - recently a division of Microsoft got *ONE* of the Microsoft mailservers listed for spam, within 4 hours of the listing a Microsoft administrator was on the phone (they found the phone number - it isn't hidden) to ask why... 2 hours later Microsoft internal security contacted a marketing droid at 3am to tell them they would be fired if they spammed again.... 6 hours after the listing was put in place it was removed.

... now compare that with an organisation such as Wanadoo France.... They refused to terminate their spammers, and refused to terminate or suspend their virus infected spamming users for months, and when they were listed instead of fixing the issue they brought pressure to bare on a daughter company (Wanadoo NL) to terminate the SORBS hosting facility in Europe.... For around 1 year Wanadoo NL resisted before finally buckling under pressure... Wanadoo Fr is still listed and they still are doing *NOTHING* about spammers on their network.

... I hope that makes my position clear on the subject....

Regards,

Mat

PS: My apologies for the 3 month delay in the response but I have been too busy with the site (DB) redesign... I'm taking a break atm.

Adverse Effects writes...

well i have just come from SORBS site and have been told my domain name is fine but bigpoos IP has been blocked as its a dynamic IP that is funny i have had the same IP for going on 2 years now that is really dynamic


Let me guess - you're a cable user with a "Dynamic" address... yes I had my address for 9 months until an extended power failure (my UPSs won't last days) forced a new lease... Just because it doesn't change regularly doesn't make it static.

Regards,

Mat

I've been using SORBS for ~6 months at work now and it does wonders.

It picks up the occasional false positive (was some aussie company, maybe they have spammed, I dunno) but the software I use allow me to override SORBS locally, which is what anyone implementing it need IMO.

Sure SORBS is good, but sometimes people within the organisation need to deal with spamming companies (or those suspected of it) so an override is needed.

Hellman109 writes...

I've been using SORBS for ~6 months at work now and it does wonders.

I have to agree, I have seen a dramatic reduction in spam/virus's since implementing SORBS. Been using it for about 3 years, and have only had 1 false positive recently, and that was a company using a optusnet connection. IMO its well worth 1 false positive to weed out over 1000 spams a day. Keep up the good work!

Could SORBS please unlist 202.173.150.* which is NOT a dynamic block.

My company is also having trouble with sorbs blocking a our mail servers IP,
206.173.182.235..

Netblock: 206.173.176.0/21 (206.173.176.0-206.173.183.255)
Record Created: Fri May 12 03:46:26 2006 GMT
Record Updated: Fri May 12 03:46:26 2006 GMT
Additional Information: [MU] Dynamic/Generic IP/rDNS address, use your ISPs mail server or

get rDNS set to indicate static assignment.
Currently active and flagged to be published in DNS

I have been in contact with XO comm who is are ISP.
They told us that the changes for rDNS were made last year.
But here we are blocked and is costing the company money as we are in the Health care field.

Come on SORBS help!!!!!

XO Communications are responsible for -

CIDR: 206.173.0.0/16


It's up to them to let SORBS know that the /21 you have an allocation from is not dynamic address space. See the comments in the post from SORBS above re Telstra and them being responsible for the correct listing of IPs that they manage.


Telstra submit dynamic/statics lists for new IP blocks they acquire. They also let us know when a formerly dynamic address is reassigned to static address customers.

Jack.Daniels writes...

Telstra and them being responsible for the correct listing of IPs that they manage.

You make it sound like it's the ISP's fault here, and poor SORBS is not at fault.
Nobobdy asked them to go around and start making lists of dynamic IP's. Nobody asked them to continually add the same bloody blocks to their database. Nobody asked them to be slow in responding, and act like they all have their heads stuck up the ass.

I hope Matt has a good lawyer, because one day his team of neo-nazi maintainers is going to piss off someone who has the financial backing to make life painfull for SORBS.

And it appears these idiots have also listed a large section of Destra's IP's as well now.

Fools, they're a business wholesaler, (iBurst excluded) not retail. And you bloody listed them last year as well you idiots!

SORBS has listed a number of my customers. They take forever to respond, if they do at all. They are a waste of time. Their website is so slow and they have unrealistic ideas.

Their admins seem to think that they are too important and that they can hold the internet at ransom if they want.

Best thing to do it just use a different filter and ignore them. Like a bad smell they will go away.

Microtune writes...

SORBS has listed a number of my customers. They take forever to respond, if they do at all. They are a waste of time. Their website is so slow and they have unrealistic ideas.

My sentiments exactly. They are completely out of touch with reality.

I believe the sorbs people *do* ignore requests, until *they* feel like doing something about it. Which might be never.

Some time ago I had a network black lsited by these twits. Unlisting took MONTHS of emailing by both myself and the ISP whom allocated me the space. Eventually sorbs delisted the network, but only after months, and only after much inconvenience.

Funny side story: When trying to fill out their online forms once, i was greeted with a server-side error. I emailed sorbs regarding this, and within 5 minutes i had areply from MAtthew himself telling me to "get a real browser" ie like Firefox or Mozilla. I was using Firefox... So quick to berate people who they think are dumber than them (read: Everyone on earth), and so painfully slow to actually do what is right. But as I said, it was a server-side error, so his direction to get a better browser was horribly misguided. Then it dawned on me, this is the kind if incompetance behind the whole sorbs operation.

Big C writes...

I hope Matt has a good lawyer, because one day his team of neo-nazi maintainers is going to piss off someone who has the financial backing to make life painfull for SORBS.

Maybe I'm mistaken..

But isn't SORBS just a list - which ISP's or admins can choose to check against?

If I create a list of usernames i don't think people should use:

webbj,
SORBS,
Big C,

Does this mean that I have created the definitive list that everyone is obliged to obey?

Sounds about right. I wish i could just ignore them, but some fools out there use their dynamic IP lists. I was also greeted yesterday by the lovely lookup page that kept asking for one of those "type the letters in the image" checks. Shame the image was missing. Had to wait 1/2 an hour for it to start working again.

webbj writes...

Does this mean that I have created the definitive list that everyone is obliged to obey?

Not at all. But say for example someone creates a list of online businesses, and they promote this list as a list of shonky operators. Your name is added to the list one day, which you discover when a customer cancels an order.
When you ask why you were added to that list, they have no reason other than "they thought you were". This is of course a week later after repeated emails that you sent them asking for clarification.

So they remove you from the list. Then suddenly a couple of months later, they add you again. Once again you ask for them to remove you, and again after a significant delay they remove you. Once again they had no reason for adding you other than "they thought you were shonky", and they didn't even bother to check their own information.

How would you feel about the lost business? Would you be "oh well it's just a list", or would you be rather more upset?

Big C writes...

How would you feel about the lost business? Would you be "oh well it's just a list", or would you be rather more upset?

Granted.

But lets remember these guys aren't "trying" to make life difficult for non-spammers are they? ..if it weren't for Lawyers, and Spammers, wouldn't the world be a lovely place :)

webbj writes...

But lets remember these guys aren't "trying" to make life difficult for non-spammers are they?

I'm not so sure about that. Why does it take several days to get removed when the ISP themselves contacts them?

webbj writes...

But lets remember these guys aren't "trying" to make life difficult for non-spammers are they? ..if it weren't for Lawyers, and Spammers, wouldn't the world be a lovely place :)

I'm sure that they aren't 'trying', it's difficult all on it's own.

Big C writes...

You make it sound like it's the ISP's fault here

Then you read my post correctly, I'd also add to that anyone that decided to run a mail server from a dynamic IP address in the first place... just like a spammer

Nobobdy asked them to go around and start making lists of dynamic IP's

Quite the contrary, the ISPs and mail administrators that use the list asked...

Blanket blocking of mail servers running on dynamic IPs works, and it's a good thing. If you want to administer a legitimate mail server do it properly.

This is annoying the crap out of me, we're hosted with WestNet using a static IP and it's currently listed as dynamic. WestNet say they've requested it fixed (I believe them) but at present we can't get lots of emails out to important clients.

If this isn't fixed some time tomorrow I'm going to be forced to request either a new static IP or even use another ISP somehow (maybe temporary signup on another phone line) until it's fixed at least.

ISPs REALLY need to ignore SORBS and either collaborate together to create their own database or find an alternative. No problem with blocking emails direct from dynamic IPs, but without fast (almost instant) responses to the request of changes it's basically a useless service.

Jack.Daniels writes...

I'd also add to that anyone that decided to run a mail server from a dynamic IP address in the first place.

You're missing the point. These aren't dynamic IP's, they are static, but SORBS continually adds them to their dynamic lists. So we have forward and reverse DNS, they're not open relays, spam has never originated from them, yet my customers get bounce backs because some nazi decided that he thought they were dynamic, without asking the ISP that owns the address space.

And then they take days, weeks, even months to remove it.

phreeky writes...

If this isn't fixed some time tomorrow I'm going to be forced to request either a new static IP or even use another ISP somehow

I think a large portion of the Wesnet static space is now listed as dynamic by these cowboys. For the moment relay your outbound mail through westnets servers.

phreeky writes...

WestNet say they've requested it fixed (I believe them) but at present we can't get lots of emails out to important clients.

Westnet should have probably planned to have the listing changed when they made the decision to re-allocate some of heir dynamic space to static addresses. That said SORBS should have a faster turnaround in responding to ISPs changing their allocations, and maybe a better notification process.

In the interim, however, can't you use Westnet's SMTP as a relay agent?

ISPs REALLY need to ignore SORBS

I disagree, ISPs should embrace what SORBS is trying to do (and are in fact doing), that is to reduce the amount of spam and reduce the number of ways that spammers can get around filtering.

but without fast (almost instant) responses

As I said, Westnet (and other ISPs) should alter their change control procedures to include changing SORBS listings as part of their IP maintenance processes. All of this could have been avoided.

Spam is a part of life on the internet, and so is SORBS.

Jack.Daniels writes...

As I said, Westnet (and other ISPs) should alter their change control procedures to include changing SORBS listings as part of their IP maintenance processes. All of this could have been avoided.

Sure, so now then need to alert 200 different RBL's every time they make a change? Who made these RBL's god?

And you are assuming that they made a change. We run multiple links at work, one for downloading is a westnet with static IP. It is currently listed, yet we have had this same IP for over 3 years now. Yet you assume that it's the ISP's fault somehow.

Big C writes...

You're missing the point.

The point is, as I see it, SORBS does a good thing in maintaining the dynamic address lists. If there's bugs in updating it, then ISPs working with SORBS is the way to fix it.

Ultimately an ISP is responsible for maintaining their own address space, and part of the maintenance is the know what allocations they have listed with SORBS as dynamic, and plan to update SORBS as part of their maintenance.

but SORBS continually adds them to their dynamic lists

Based on what the ISP has told them? Or based on them having generic reverse DNS entries? Again, it's up to the ISP to be aware of how their address space is maintained.

And then they take days, weeks, even months to remove it.

As I've said, the process does need to be streamlined. But that's only going to happen with discussion, not with personal attacks.

because some nazi decided

Jack.Daniels writes...

Or based on them having generic reverse DNS entries?

Who said every static IP has to have a hand-coded RDNS entry? Sure, you do it for your mail server, but asking people to do an RDNS entry for every single IP is crazy. And what if it's a single IP shared between multiple services, which one do you use for RDNS?

SORBS also don't care if there is valid RDNS, they just add large blocks just because some appear to have auto-generated RDNS. I've even seen when addresses have generated RDNS like 15.4.16.203-static.isp.com added before

But that's only going to happen with discussion, not with personal attacks.

I've been having "discussions" with these people for over 2 years now, and they only seem to get slow, and less responsive. They also appear to take longer to remove addresses from their system the more you complain at them. My only recourse then is to spread the word on just how unreliable and incorrect their service is, until they decide to clean up their act, i'll continue to label them as cowboys.

Try explaining to 200 customers why their mail is suddenly blocked when none of us have done anything wrong.

Every ISP tech i have spoken to, from multiple different companies, who knew what SORBS was, hated them, and had nothing but bad things to say about them. I've yet to hear a single ISP tech defend or even speak neutrally about them. I think that says something.

does that post remind anyone of the dilbert comic where dogbert says , you can do anything to the employees aslong as you make it sound positive.

then makes the announcement similar to "we'll be putting gps tracking collars on you , for your safety", then announces the tissue sample testing "for heath reasons".

just because the objective is good doesn't mean the approach used is

Jack.Daniels writes...

I disagree, ISPs should embrace what SORBS is trying to do (and are in fact doing), that is to reduce the amount of spam and reduce the number of ways that spammers can get around filtering.

The idea of SORBS is great, the fact it's a private business and not a proper collaboration of industry leaders is terrible, I can't believe large telcos are happily using their database.

cheeba writes...

Funny side story: When trying to fill out their online forms once, i was greeted with a server-side error. I emailed sorbs regarding this, and within 5 minutes i had areply from MAtthew himself telling me to "get a real browser" ie like Firefox or Mozilla. I was using Firefox...

Proof is in the pudding ... please show the proof - I remember only one complaint and it was IE related.

Big C writes...

You're missing the point. These aren't dynamic IP's, they are static, but SORBS continually adds them to their dynamic lists. So we have forward and reverse DNS, they're not open relays, spam has never originated from them, yet my customers get bounce backs because some nazi decided that he thought they were dynamic, without asking the ISP that owns the address space.

Take a look at:

https://datatracker.ietf..._detail&id=14673

And then they take days, weeks, even months to remove it.

That shouldn't happen - however it can do based on current load. Making a mistake in the DUHL last week blew out the support queue - even when we took the database offline whilst we corrected it. We are working through the queues currently - for the last 4 days I personally have been working on SORBS until at least 1am, and then I have been up at 7-7:30am and started answering again before going to my regular day job.

Regards,

Mat

Jack.Daniels writes...

I disagree, ISPs should embrace what SORBS is trying to do (and are in fact doing), that is to reduce the amount of spam and reduce the number of ways that spammers can get around filtering.

What is SORBS doing that other RBLs aren't doing:

1) more responsively;
2) more efficiently;
3) more accurately?

As I said, Westnet (and other ISPs) should alter their change control procedures to include changing SORBS listings as part of their IP maintenance processes.

Why should ISPs be held to the ransom of someone who is even quoted later in this thread as breaking things, and then having to leave it "as he goes off to his day job". I know, it's a providers choice to /use/ SORBS, I need no lecture there - one of my clients is a 100,000+ subscriber webmail service, I know all about SORBS regularly blacklisting IP addresses.

SORBS writes...

Take a look at:

https://datatracker.ietf..._detail&id=14673

Okay. A draft, authored by you, where you attempt to specify how third parties should name their hosts, to your satisfaction. This may well sound like a troll, but tell me why any particular provider is obligated to broadcast the purpose of a host - it may well help you as the administrator of a RBL, but is also just as easily minable for nefarious purposes. "Hey look, a big block of dynamic IPs, now we can limit our use of Exploit ZZZ to that, and more quickly find more hosts to harass and annoy."

Not your problem? Sure. But to the observer it seems that your RFC Draft for Suggested Naming Schemes is primed for "Don't want to be blacklisted? We require that you change your naming scheme to match this specification, conveniently authored by us to suit our ends, not yours."

King Chris writes...

mail coming from a mail server on a dynamic IP address tells you either you're dealing with someone who is clueless about mail servers (i.e. they should have a static IP address if they're sending or receiving directly)

That's fine, in and of itself, but most people's complaints in this (and other threads) is irrelevant - it's about SORBS erroneously, /and repeatedly/ flagging IP blocks as dynamic, based on its WHOIS lookups and some regex matching.

And now we see that Matthew's proposed solution is not to improve his algorithms and rules to determine such, it's to submit a draft RFC in order to tell large netblock owners how they should name their networks and supply appropriate DNS records in a manner which, unsurprisingly, conforms with the patterns mentioned on SORBS.

I would just like to THANK Matt for getting my XO IP De-listed and for making my phone stop ringing so dang much...we can send email again yippy.....
I don't know who contacted who but Thanks Matt

You're thanking the very person who is responsible for all those phone calls? Strange.

Big C writes...

You're thanking the very person who is responsible for all those phone calls? Strange.

Well, when the guy banging on your thumb with a hammer stops, you are a bit grateful...

True..

Here's an examply of an address and PTR that is currently listed as dynamic

xxx-156-222-203.static.techex.net.­ au.

Nice regex matching guys.

I have no idea how Destra's static IPs got blocked but it has caused so much trouble this week. I recieved confirmation at 11pm Tuesday night that our IP had been removed.

We couldn't mail any customer using Optus hosting for a bit over 48hours (since Sunday afternoon) Makes it hard to alert them to critical updates for our software... Thanks for all the pain you've caused me as a SysAdmin SORBS. At least you fixed it alot quicker than the OP mentioned.

Achromatic writes...

This may well sound like a troll,

You said it not me...

Try reading the Draft - properly ....

It does clearly say this is a Suggested Naming scheme..

Also think past the end of your nose... if everyone actually followed that RFC, the SORBS DUHL would be unnecessary ... isn't that what you want... for people to stop using SORBS...?

Think...

/ Mat

Achromatic writes...

And now we see that Matthew's proposed solution is not to improve his algorithms and rules to determine such

You need to talk to Steve Champeon ... he also creates regexs as sendmail access files to block dynamics ... last time I spoke to him he hit 80k+ patterns... Think about that - the draft proposes a scheme which if people use that number should reduce...

What you are talking about should a lack of knowledge or clue... we have ISPs that label their ranges:

dsl-1.2.3.4.netspace.net.au
dsl-2.2.3.4.netspace.net.au

(sorry netspace, just an example) .. another...

1-2-3-4.in-addr.btinternet.com
2-2-3-4.in-addr.btinternet.com

For both their dynamics and statics... the whois information just lists the netblock and abuse contacts - no indication of service type etc...

The draft suggest it might be better to name the hosts:

1.2.3.4.dsl.sta.netspace.net.au
2.2.3.4.dsl.dyn.netspace.net.au

and to get rid of redundant data such as 'in-addr' from PTR records... hell we all know that PTR records are found in the in-addr.arpa zones .. why add the data?

The draft also says:

Clear identification and records for a host and network would resolve
most of issues relating to the identification of abusing or abused
hosts. Identification that includes reasonable information as to the
purpose or configuration of the host will also allow other networks
to configure access, thereby limiting abuse, using these
identification records.

.... do I really need to say more?

/ Mat

ssegro writes...

I would just like to THANK Matt for getting my XO IP De-listed and for making my phone stop ringing

XO contacted SORBS this morning (local time) and provided SORBS with an updated netblock list.

Regards,

Mat

Big C writes...

Here's an examply of an address and PTR that is currently listed as dynamic

xxx-156-222-203.static.techex.net.­ au.

I'm guessing it's delisted already... but just take a look here:

SORBS writes...

I'm guessing it's delisted already... but just take a look here:

nemesis.sorbs.net:82/203/222

Note the dates - obviously the date you specified has already been rescanned on request.. Others haven't though - you are welcome to check the data that we went by...

The netblock you indicated did not have 'static' in the PTR records prior to May 1, 2006.

/ Mat

Hi, I'm Ney Santos and I work in a Telecom company in Brazil.

We are having a lot of problems with SORBS DUHL... They blocked 2 entire IP ranges alleging "Dynamic IPs".

I would LIKE if someone anwser me how do they could know if that IP is Dynamic? How can do they prove that?

Those IPs are not Dynamic, and Sorbs are harming me and my customers.

How can we prevent that?

Please, I need help urgently!

Tks very much...

don't you guys have lots of gang wars over there atm, send them a picture and claim he's a informant hiding out in australia :P.

or play into this srobs characters demands ,(he's really sounding like the phb from dilbert more and more each post)

And now it appears Nextep is listed as well... good week this week for sorbs

210.0.95.xx.static.nexnet.net.au.

surprise surprise another SORBS thread on them blacklisting perfectly fine static IP addresses with reverse entries.

surprise surprise another MX server listed that has not sent SPAM and on no other blacklist but SORBS.

I noticed a similar thread ongoing in whirlpool westnet forums and aired my grievance there.
The more I search, thankfully I am not the only one affected AND annoyed.

Maybe SORBS need a whole subcategory to themselves as they seem to manage to stuff up many secure and valid mail servers with correct entries.

Big C writes...

I hope Matt has a good lawyer, because one day his team of neo-nazi maintainers is going to piss off someone who has the financial backing to make life painfull for SORBS.

There is very little doubt in my mind that this will eventually happen. I am not a lawyer and I have no litigous intentions of my own, but if this brand of cowboy styling continues, no amount of "Its an opt in list, you can't touch me" is going to keep Captain SORBS of the vigilante patrol out of court explaining his position to a magistrate. If they get off really lightly it might only cost them a couple of thousand dollars in legal fees.

It would be interesting to see how quickly a defamation suit by a corporate who have had their mail servers slanderously labelled as 'Spammer' in a public list would see service providers dropping their subscriptions.

SORBS writes...

cheeba writes...
Funny side story: When trying to fill out their online forms once, i was greeted with a server-side error. I emailed sorbs regarding this, and within 5 minutes i had areply from MAtthew himself telling me to "get a real browser" ie like Firefox or Mozilla. I was using Firefox...

Proof is in the pudding ... please show the proof - I remember only one complaint and it was IE related.

A brief summary of my recent experiences with the SORBS website:

* Hit the following URL when responding to one of my users complaints: https://www.au.sorbs.net/faq/dul.shtml

* IE immediately generates a warning: "Page contains both secure and non secure items".

* Firefox also generates a warning: "Invalid Certification Authority". The certificate for the site is invalid and been setup for *.au.sorbs.net. As far as I have experienced without looking it up, certificates don't even exist for wildcard domains so whoever set this up either has no clue, or doesn't care about trust, security, non-repudiation, or any of the other reasons you get a certificate signed properly. Whatever the actual reason, these messages say unreliable, and they say unprofessional.

* Accessed the database lookup page to verify our mail server IP was in the DB. Wants a logon or to type in the letters from the image. The "Human Detector Code" is broken: it just ignores whatever you enter.

* Hitting the back button results in a page with no images.

* Reloaded the page, tried query again. Page times out. Reloaded. Prompted to accept untrusted certificate again (using firefox).

* Forced to create an account on the site, respond to a verification email before checking the DB again.

There is no proof and no pudding beyond what I have reported here, but I assure you these are the results I have personally experienced from the SORBS website.

Cmdr Grey writes...

As far as I have experienced without looking it up, certificates don't even exist for wildcard domains

www.google.com.au/search...gle+Search&meta=

Wildcard certificates are not that uncommon. There is probably a lot of poorly implemented instances of them out there though. The same can be said for other certificate types too.

I've been following these SORBS threads with much interest today because antispam services are a focus of mine. Mistakes happen, but the importing of 6 months of data in one day and the subsequent delays in support response as a result of the overflow are quite alarming.

Dudley writes...

www.google.com.au/search...gle+Search&meta=

Wildcard certificates are not that uncommon. There is probably a lot of poorly implemented instances of them out there though. The same can be said for other certificate types too.

Ahh right, I stand corrected. Never set a wildcard cert up myself, only single names, and I guess the ones encountered so far were all setup properly so no warning prompts... The way it should be ;)

Cmdr Grey writes...

* Firefox also generates a warning: "Invalid Certification Authority". The certificate for the site is invalid and been setup for *.au.sorbs.net. As far as I have experienced without looking it up, certificates don't even exist for wildcard domains so whoever set this up either has no clue, or doesn't care about trust, security, non-repudiation, or any of the other reasons you get a certificate signed properly. Whatever the actual reason, these messages say unreliable, and they say unprofessional.


The reason that Firefox generates a "Invalid Certification Authority" is not because of the wildcard certificate, but because it is a self issued/ signed certificate rather than a certificate that has been signed by a 'trusted' Certification Authority that is recognised by firefox.

Can you awnser my question?

How can I prevent those listing?

Tks

-Ney-

Kt0t4 writes...

Can you awnser my question?

How can I prevent those listing?

Tks

-Ney-

You cant SORBS are a law unto themselves

Apparently having the correct information in your reverse lookup will prevent listing.

The provider i use has just done this for all of their static ranges, so it will be interesting to see if they get listed again, after being listed twice in the past month!

Graf Orlok writes...

Apparently having the correct information in your reverse lookup will prevent listing.

That's the arguement.
The "correct info" SORBS wants in Reverse DNS is from an RFC, written by...wait for it....Matthew from SORBS!

The more accepted reverse DNS format is already being used by the people with the problem. And the second more equally important part of the arguement is that these mail servers are being listed as whole /24 networks - and the clincher is that the people who are complaining on this forum are NOT sending SPAM in thr first place!

If SORBS was an organization that listed mail servers that did not conform to their own RFC - there would be no problem.

But they claim they update their list with mail servers that have been sending SPAM - and this is not the case.

we had a problem with one list a while ago blocking our isp host, i belive it was sorbs, but unsure, the problem they had was the response gotten was, "you sent spam two days ago" "what was the header or contents so we can find the source", " we don't have it " , "so how do you know it's spam, how can we stop it, how do we know there even was spam?"
"you just do, we'll unblock you within 1-24hrs"

The biggest pain in the arse is getting your clients to fax your ISP for the revers DNS request setup to be created.

Graf Orlok writes...

Apparently having the correct information in your reverse lookup will prevent listing.

Not in my experience...

maybe things are different these days

but in the past sorbs have black listed entire net blocks - irrespective of reverse dns being explicity configured.

And here i thought SORBS claimed that Telstra always gave SORBS their IP information.
I know have a customer on Telstra Business Sat with static IP who is listed.

Destra, Westnet, Nextep, Telstra all in one week. Not Good Enough.

Hi,

Happy that my post is always alive ;)

FYI => France Telecom subnet /16 is removed since 05-18-2006 ! I try, but I can't say thanx....because it was only several hundreds of professional customers blocked during 9 months ! I am frustrated because this network was in DUHL and This IP-RANGE wasn't a Dial-Up range and all was in agreement with SORBS on-line BCP
www.us.sorbs.net/faq/dul.shtml ..... unjust is a good word to define this adventure....

But, our tickets didn't remain unanswered this time. I acknowledge that the reactivity of SORBS is improved this month, I thank SORBS for this improvement.

++++++++++++++++++++

About this draft : www.ietf.org/internet-dr...g-schemes-00.txt

Why not ? but it is really important to add "Security Considerations" [DNS not secure, speck about DnsSec is really important today; speak about if naming is so precise => can be dangerous for ISP and consumers...etc..] and talk about IPV6 technology.

however, it isn't a good idea to try this document as a RFC draft, this document is directed to DnsBL and meets only the needs for the BL, global needs is more extended for reverses naming. I think that IETF team cannot waste time with this paper type, and prefers work on files more important like DKIM, SPF, SRS...and DnsSec....to help to decrease spam flow. Because I believe that the genaralisation of sender authentication protocols change the nature of the game for DnsBL.

Note : [MAAWG : first metrics report outlining the scope of the problem and validating that approximately 80 percent of Internet traffic today is abusive email].

HLAKKACHE