SORBS Insanity
Jeff Kell
jeff-kell at utc.edu
Thu Apr 15 04:19:18 UTC 2004
Jeremy Kister wrote:
[... giant snip ...]
We are a former user of SORBS. Our issue was not that of dynamic IPs,
but rather their spamtrap listings. A few weeks ago, at least two of
Comcast's legitimate mail servers was blacklisted. As Comcast has a
majority of the cable service in our area, we have a lot of users that
use Comcast as their ISP. Needless to say, listing several of Comcast's
prominent mail servers caused our mailers to reject the mail with the
SORBS bounce reply. We have since ceased using SORBS and cured the
Comcast problem, as well as a couple of other unrelated (and previously
unreported) problems.
But I have/had a considerable degree of respect for SORBS, and as part
of our abuse department, I dutifully report all of our reported spam
deliveries to SpamCop. When SpamCop does it's analysis and notes that
the spam in question was listed in SORBS, I now cringe. It would have
been blocked.
So currently I'm considering asking for partial zone transfers of some
of their blocks (our mailer doesn't discriminate against the DNS return
address being 127.0.0.x or 127.0.0.y, a hit is a hit) and omitting at
least the 'spamtrap' portion (for the same reason we don't use SpamCop
directly -- the knee-jerk false positives outweigh the real hits to
upset a considerable portion of our user base).
From the opposite standpoint in acting on spam that originates in our
domain, everything to date has been a compromised machine and/or virus.
If SpamCop lists our registered mailers, I can at least respond from the
abuse address that the problem has been corrected and there are no
further interruptions in our mail service. I can only imagine the
problems if you end up blacklisted by SORBS if their response time and
effort is really this low for cleaning up their lists. While the big
ISPs may not act immediately (or at all) on compromised hosts with
trojan proxies, we do keep a tight lid on it (and block SMTP from
end-users at egress, but that is another discussion).
Jeff
More information about the NANOG
mailing list