SORBS Insanity
Matthew Sullivan
matthew at sorbs.net
Thu Apr 15 12:30:13 UTC 2004
Jeff Kell wrote:
>
> Jeremy Kister wrote:
> [... giant snip ...]
>
> We are a former user of SORBS. Our issue was not that of dynamic IPs,
> but rather their spamtrap listings. A few weeks ago, at least two of
> Comcast's legitimate mail servers was blacklisted. As Comcast has a
> majority of the cable service in our area, we have a lot of users that
> use Comcast as their ISP. Needless to say, listing several of
> Comcast's prominent mail servers caused our mailers to reject the mail
> with the SORBS bounce reply. We have since ceased using SORBS and
> cured the Comcast problem, as well as a couple of other unrelated (and
> previously unreported) problems.
I do recommend anyone using the complete DB to whitelist any major
mailservers 'near' them. If you can't do this I recomend you use
tagging and/or use 'safe.dnsbl.sorbs.net' which doesn't contain the spam
DB, but does contain all other DBs.
> But I have/had a considerable degree of respect for SORBS, and as part
> of our abuse department, I dutifully report all of our reported spam
> deliveries to SpamCop. When SpamCop does it's analysis and notes that
> the spam in question was listed in SORBS, I now cringe. It would have
> been blocked.
>
> So currently I'm considering asking for partial zone transfers of some
> of their blocks (our mailer doesn't discriminate against the DNS
> return address being 127.0.0.x or 127.0.0.y, a hit is a hit) and
> omitting at least the 'spamtrap' portion (for the same reason we don't
> use SpamCop directly -- the knee-jerk false positives outweigh the
> real hits to upset a considerable portion of our user base).
safe.dnsbl.sorbs.net - available on all the public DNS servers and by
using the zonefiles.
> From the opposite standpoint in acting on spam that originates in our
> domain, everything to date has been a compromised machine and/or virus.
> If SpamCop lists our registered mailers, I can at least respond from
> the abuse address that the problem has been corrected and there are no
> further interruptions in our mail service. I can only imagine the
> problems if you end up blacklisted by SORBS if their response time and
> effort is really this low for cleaning up their lists. While the big
> ISPs may not act immediately (or at all) on compromised hosts with
> trojan proxies, we do keep a tight lid on it (and block SMTP from
> end-users at egress, but that is another discussion).
You will note my post before Christmas about the up and coming
whitelisting mechanism - I am still collecting details for people
wanting to use it - unfortunately for a variety of reasons the
whitelisting mechanism is still not ready to go public.
Yours
Matthew
More information about the NANOG
mailing list