SORBS - Is There a Better Spam Blacklist?

rootnl asks: "Recently I decided to upgrade my email server with better spam detection and decided to use the SORBS blacklist. It is a very aggressive blacklist and could be deemed quite effective. However, I discovered two totally legal servers currently being blocked by their Spam 'o Matic service: a Google Gmail server (64.233.182.185), and another server belonging to an ISP called Orange (193.252.22.249). Now, normally one would think these providers would probably get themselves de-listed, but the process provided revolves around donating money. As I just happen to have a friend that is using the said ISP, I have to seriously reconsider using SORBS. What is your experience with SORBS? If you have alternatives, what would you suggest as a better blacklist service?"

Dunno about better

[melonman]

But avoid SPEWS like the plague. They have a wonderful policy of blacklisting entire 16-bit IP ranges because one machine in an enormous server park has been used to send spam.

They know this causes massive collateral damage to machines administrated by totally independent companies, many of them small and liable to suffer severe hardship because of this arbitrary action. That's precisely the idea: they keep hurting non-spammers to make them lobby the server parks to deal with the spammers.

Unless you think that kidnapping children and refusing to return them unless their parents fight the mafia for you is an ethical law-enforcement policy, SPEWS is obviously far far worse than the problem they are allegedly attempting to solve.

SURBL

[tootired]

SURBL is a URL blacklist.

Employing it enables your spam software to block emails that have matching blocked urls in the message body.

I have not gotten any false positives with it and it blocks a ton of nasty phishing stuff in addition to the usual SpermaMAXX crap.

Expect many false positives

[dtfinch]

All the blacklists I know have a tendency to block entire ISPs rather than just the ranges known to generate spam, if they think the ISP isn't taking sufficient action against its spammers or spambot infected customers.
Blacklists and whitelists are useful, but I wouldn't use them as the sole indicator of whether or not an email is spam.

Orange = Wanadoo

[grahamm]

Orange is part of Wanadoo who are known to be both spam friendly and to host spamvertised web sites. So maybe listing Orange is not such a bad idea.

SORBS should be avoided at all costs

[Anonymous Coward]

Several reasons why:
Large netblocks will be repeatedly put onto one of their lists if they dont comply with the founder/main admin's idea of how reverse dns should be configured. They will list IP blocks that dont conform to an RFC that funnily enough, he wrote.

Getting in contact with them in any reasonable timeframe is damn near impossible in any timely manner.
Primary/Secondary SMTP servers of ISP's will often by listed as part of their blanket block approach.

They continually block whole IP ranges that are statically assigned, often automatically with seemingly no human oversight. There can be found many complaints on assorted web forums across the net, especially australian, full of people trying to figure out why they were listed on one of the sorbs lists, and how to be removed.

Almost all of the issues i have run into with SORBS dont seem to have anything to do with eliminating spam, more to do with pushing the founders RFC for reverse lookups. Comply, and you are free from hassle forever. Fail to comply, and face loosing SMTP access to any providers using SORBS for anythere from a day to over a week.

Re:Use spam assassin with more that one RBL

[Zocalo]

To extend on that I also have a META rule set up to handle DNSBLs in SpamAssassin that adds some additional points based on how many RBLs each IP address has hit. A server on one DNSBL may be a false positive or an over aggressive listing, but if it's on three or four then it's almost certainly spam and gets an extra couple of points towards being classed as spam. If it matches five or more, then it gets an instant +50 file in the mailbox "/dev/null" score.

See what works best

[Anonymous Coward]

Multi-RBL check [robtex.com]

Type in a few of your favourite IP addresses. See which lists have fewest missess.

SpamHaus, SPEWS and SpamCop

[christophe.vg]

For a few years now, I'm using three RBL's to filter the incoming mails on our mail server, which hosts a few small-sized customers and some personal domains. The RBL's I use are: SpamHaus, SPEWS and SpamCop. We have set them up in sequence, so that a mail caught by one is not passed to the following anymore.

Looking at two days ...

01/01/07
total mails processed : 1432
considered non-spam : 719 (50.21%)
total number of blocks : 713 (49.79%)
spamhaus : 630 (88.36%)
spews : 2 ( 0.28%)
spamcop : 81 (11.36%)

01/01/06
total mails processed : 381
considered non-spam : 155 (40.68%)
total number of blocks : 226 (59.32%)
spamhaus : 191 (84.51%)
spews : 31 (13.72%)
spamcop : 4 ( 1.77%)

... it shows the trend I've seen over this time: SpamHaus does a great job for me and we haven't received any complaints from the customers concerning people not able to contact them.

Given these (poor-man's statistics) it seems that SPEWS is of little use to us. SpamHaus catches most of the problems. Maybe even if we switched SPEWS' and SpamCop's order, we might see that the latter would be able to catch those mails now caught by the former. It's surely something we're going to try.

On the other hand, it might very well be that SPEWS would catch also all SPAM caught by SpamHaus. Reversing the current order might be a nice test before we come to any real conclusions on which RBL to drop ;-)

The (current) bottom line: For us, SPEWS isn't causing any problems, but also doesn't help us that much. SpamHaus seems to be a great RBL source and SpamCop seems to be a nice addition.

But it doesn't stop all SPAM.

Re:Expect many false positives

[Anonymous Coward]

The point of blocking a rogue ISP, rather than just "the ranges known to generate spam", is simple. If the ISP has made it clear it has a policy of permitting its services to be used to generate spam, then any and all of its IP addresses are likely to be used by spammers within short notice. Spammers are aware of when they're blocked, and if the ISP is on the spammers' side, they will happily hand the spammer new IP addresses every time the old ones get blocked.

Trying to keep spammers blocked when the ISPs are moving them around is called "whack-a-mole" and it is a pointless endeavor.

ISPs have a choice not to willingly host spammers. They don't have to become super-duper spamfighters in order not to get blocked. All they need to do is not host spammers. It's really not that hard! Just consider: if you're an ISP and someone calls up and says they want to be your customer, and you find out that they want to sell penis pills and horse porn, use your common sense! The ISPs that are willful spammer hosts at this point are the ones which have thrown their lot in with the spammers, and to hell with the rest of the net.

Want to know where the spammers are? Check this list. [spamhaus.org] The ISPs with the worst spammer problems are Verizon Business, Serverflo, and SBC. If you choose to host with these ISPs, you are moving into a neighborhood where the "government" (the ISP) is already proven to be in bed with the Internet's largest native criminal element. If you do this, you should expect the rest of the world to treat you with some suspicion.

Re:Dunno about better

[Lost Race]

SPEWS is probably not relevant any more. There have been no changes to the published DNSBL zones since 2006-08-24; apparently the database is no longer being maintained.

sbl-xbl

[Halo1]

sbl contains the spamhauses, xbl trojaned boxes/open proxies etc (you can of course also only use one of them). See http://www.spamhaus.org/xbl/index.lasso [spamhaus.org]

Re:Orange = Wanadoo

[Ksempac]

First Wanadoo doesnt exist anymore. Second Orange has never been part of Wanadoo. Wanadoo was the ISP branch of France Telecom (the main phone company in France), who bought the British mobile phone company Orange. Then they decided to merge all their mobile phones/ISP services in Europe (including Wanadoo and Orange, but also many others) into one single company called Orange [wikipedia.org]. Third, before saying some company is spam friendly, you should get some reliable source.

sorbs is one the best blacklists out there

[cyberfoxz]

I work at the abuse dept. of a large dutch ISP and we rely heavily on sorbs. When I started working there one of my collegues convinced us that there is no way you could be able to contact sorbs and I thought that to be true. We found out however that it is really not that hard to get in touch with them and if you follow their guidlines, you never have to pay for delisting. The paying part is mainly to scare of spammers delisting adresses they do not own. They use a smal set of totaly acceptable rules to delist adresses from their DUL list (if u use a mailserver on a dynamic adres, go get a static one. If you can't, you should be using your ISP's mailserver). Their rules:
1. Only the owner of the adress space may contact them, as listed in one of the five RIR databases (RIPE, ARIN etc). We always use abuse@isp.com, because this is a known adress in RIPE.
2. The IP adress must be known as static and have a PTR-record stating it is static (mail.domain.com is acceptable).
3. It must have a correct A-record.
4. The TTL in of the A-record must be 86400 sec.
If you contact them in the way they wish to be contacted (just read their website, it's not that hard), they will delist you in 24-48 hours. However, if you aren't the owner of the adress space or the simple rules are not followed, your request wil be ignored. Everyone who thinks they can't get through to sorbs just isn't reading their guidelines, it's that simple.

Re:SORBS!!! I'd like to ABsorb the so-and-so's!!!

[Pig Hogger]

so they block me, and therefore I cannot send email to anyone using two of the major ISP's in Australia. I have emailed sorbs and asked them to check my server.

You're shooting at the wrong duck. You're not being blocked by SORBS, but by the "two major ISPs in Australia". Your beef is with them, not SORBS.

Re:Dunno about better

[mvdwege]

If SPEWS feel the need to punish ISPs for their behaviour, they need two classes of blacklist: [...]

People would take you a lot more seriously if you would do your homework before making bold statements.

Hint: try reading the SPEWS FAQ and looking at the database before spouting off.

Mart

Maybe a change of tactics is in order.

[kunwon1]

ORDB just shut its doors. From their closing announcement: (emphasis mine)

We regret to inform you that ORDB.org, at the ripe age of five and a half, is shutting down. It's been a case of a long goodbye as very little work has gone into maintaining ORDB for a while.

Our volunteer staff has been pre-occupied with other aspects of their lives. In addition, the general consensus within the team is that open relay RBLs are no longer the most effective way of preventing spam from entering your network as spammers have changed tactics in recent years, as have the anti-spam community.

We encourage system owners to remove ORDB checks from their mailers immediately and start investigating alternative methods of spam filtering. We recommend a combination involving greylisting and content-based analysis (such as the dspam project, bmf or Spam Assassin).

Blacklists are so 2004

[target562]

With the advent of the spam bot networks, blacklists aren't as useful for spam fighting as they used to be. Greylisting + content analysis is currently the way to go; though Spamhaus still does a decent job, but not Spamcop due to their "unsolicited bounces" thing...

Re:Orange = Wanadoo

[grahamm]

If you do a 'whois' search on the IP address given for the 'Orange' ISP it shows the owner as being Wanadoo Netherlands.

Re:Expect many false positives

[mutterc]

Spamhaus claims to not do this... the only time they list IPs that are not spam sources are pre-emptively when a spammer on their ROKSO list gets an account, and sometimes ISP's corporate mail servers (not the customers' ones, and not customer machines).