SORBS - Is There a Better Spam Blacklist? 226
rootnl asks: "Recently I decided to upgrade my email server with better spam detection and decided to use the SORBS blacklist. It is a very aggressive blacklist and could be deemed quite effective. However, I discovered two totally legal servers currently being blocked by their Spam 'o Matic service: a Google Gmail server (64.233.182.185), and another server belonging to an ISP called Orange (193.252.22.249). Now, normally one would think these providers would probably get themselves de-listed, but the process provided revolves around donating money. As I just happen to have a friend that is using the said ISP, I have to seriously reconsider using SORBS. What is your experience with SORBS? If you have alternatives, what would you suggest as a better blacklist service?"
Dunno about better (Score:5, Informative)
But avoid SPEWS like the plague. They have a wonderful policy of blacklisting entire 16-bit IP ranges because one machine in an enormous server park has been used to send spam.
They know this causes massive collateral damage to machines administrated by totally independent companies, many of them small and liable to suffer severe hardship because of this arbitrary action. That's precisely the idea: they keep hurting non-spammers to make them lobby the server parks to deal with the spammers.
Unless you think that kidnapping children and refusing to return them unless their parents fight the mafia for you is an ethical law-enforcement policy, SPEWS is obviously far far worse than the problem they are allegedly attempting to solve.
Re:Dunno about better (Score:4, Insightful)
Re: (Score:2)
Re: (Score:2)
And you will have as much spam as before.
Spam-friendly ISPs will regularly give different Ip addresses to spammers.
SPEWS stands for SPam Early Warning System. That is, it BLOCKS spam BEFORE it leaves the network, in anticipation of the ritual spammer IP address change. And that can only be achieved by listing the whole IP range of the spam-friendly ISP.
Re: (Score:2)
And while their listing expansion policy has always been pretty zealous, the best thing SPEWS had going for it was its evidence files, containing sample spam and WHOIS information. I speak in the past tense because they're always woefully out of date these days, and the information is worse than nothing when you have to look at it then hit whois to see who the REAL owners are now. I don't think any mail admin seriously uses SPEWS anymore except as a very mino
Re: (Score:2)
Re: (Score:2)
If SPEWS feel the need to punish ISPs for their behaviour, they need two classes of blacklist: one that says 'this address sends spam', and one that says 'this address probably isn't a spammer, but it belongs to a Bad Network'. Then let users choose for themselve
Re: (Score:3, Informative)
People would take you a lot more seriously if you would do your homework before making bold statements.
Hint: try reading the SPEWS FAQ and looking at the database before spouting off.
MartRe: (Score:2)
OK, I'm assuming your ignorance was not malicious. Yes, SPEWS does use multiple levels of blocking, for sources that are positively identified as either being spam sources or belonging to a provider that does not appear to have decent abuse handling they publish a list that can be used for blocking, and for other sources they use a list that is merely 'watched' (and expressly advised not to be used as an RBL).
Although the fact that they haven't been updated since August worries me a little. Possibly the SP
Re:Dunno about better (Score:4, Informative)
SPEWS is probably not relevant any more. There have been no changes to the published DNSBL zones since 2006-08-24; apparently the database is no longer being maintained.
Re: (Score:2)
Let me explain. You have to decide what it is you're trying to accomplish as a blacklist operator. Are you trying to advise people of spam sources? Or are you trying to punish spammers and their friends?
If you're just trying to advise people of spam sources, so that they can choose not to receive mail from spammers, then do just that. List spam sources, and stop there. Mission accomplished, although spammers will move around and you'll have t
Re: (Score:2)
Wow, I'm glad they have you to tell them how they have to run a blacklist.
FYI, some ISPs give spammers new IP addresses every day. IMO there's just one way that should be dealt with, block the ISP entirely. There's no need to take in new spam every day until you catch that day's list of IPs from that ISP. Just blocking the ISP is much more efficient. If there is collateral damage, that's the fault of the crappy ISP.
Don't like how they run their blacklist? Tough.
Re: (Score:2)
Re: (Score:2)
The original post explained why the end does not justify the means. You 'counter' it by insisting that since you can't think of anything better the end does justify the means. Welcome to rational debate.
Not that I'm blaming you - and you did say that you don't use RBLs anymore.
Perhaps since there is no 'rational' answer to this question of priorities, the best s
Re: (Score:2)
At no point did I suggest that the ends justified the means, I merely asked what alternatives an RBL operator has when faced with an ISP that knows, but does not care that spammers reside on and operate from their network. What precisely *are* they supposed to do? Playing whack-a-spammer by only listing IPs that send spam does not work when there are ISPs that actively ai
Re: (Score:2)
> RBLs and collateral damage, because it puts control in the hands of the
> recipient where it belongs.
If I had not been able to switch to DSL from dialup a while back I would have had to give up my current email address. The volume of spam would by now have exceeded the capacity of the link. It is simply not possible for all users to "take their spam".
Re: (Score:2)
I agree with you entirely that one providing e-mail services to paying customers really ought to inform those customers of what they're doing to filter their e-mail. I had to pick my e-mail provider very very carefully for this reason, and thus far I've had no problems (been with 'em going on 4 years) because they're entirely up-front about what they do by default (nothing)
Re: (Score:3, Insightful)
Is it the right of the owner of a mail server freely to accept or refuse messages at will? Is it his right to define whatever rules he wishes for the acceptance or rejection of email? Is there anybody in the world who has the right to order him to do otherwise?
If the answers are 'yes', 'yes' and 'no' respectively, I submit to you that it is those who would silence SORB
Re: (Score:2)
The error in your reasoning starts when you assume that self-appointed do-gooders have the right to infringe the rights of third parties. (I'm not going to answer any posts about how actually it's just a list and no-one has to use it bla bla - save it for the bar-room barristers.)
You have some gall beginning your post with an analysis of the error in other people's logic while predicating your argument on rights that don't exist and then insisting that if anyone points this out you'll stick your fingers in
Re: (Score:2)
What the hell are you talking about? It's quite the opposite -- barring private contracts you have no implicit right to send e-mail to an
Re: (Score:2)
You need to read before you click submit; go back and read my post again. Pay particular attention this time to where I mention the words "private contracts". Did you hear me talk about my private property? Please tell me what law requires that I acc
Re: (Score:2)
Re: (Score:2)
You mean like Joe Jared [oretek.com], or maybe the NANAE Nine? [pcworld.com]
Lawyers are the only creatures on the planet with less scruples than spammers. Prudence does not necessarily equal cowardice.
Re: (Score:2)
Whilst I have no experience with SPEWS, I have worked with ISP's and webhosting providers in the past. Blocking IP's that "only host websites" makes perfect sense when those web sites host brain dead form-to-mail scripts/executables (ie: sender and recipient addresses can be supplied as form parameters) - it's as good as advertising free SPAM zombies.
Re: (Score:2)
I tend to hear that a lot. Funnily enough everyone posting these kind of complaints about SPEWS never seem to add any examples.
So, care to give examples?
MartRe: (Score:2)
SPEWS blocks the entire netblock that our company resides in. That netblock is managed by NextWeb, the only ISP we can get with our building location, and although we have not spammed anybody, we are collateral damage.
Yesterday, I was contacting a company about a technical support issue, and their e-mail server sent me back a nice 550 of, "5.7.0 Your server is a suspected spammer, we are quarantining the e-mail" (or something like that, not those exact words).
SPEWS is
Re: (Score:2)
That is not a verifiable example. That is hearsay.
What was the name of that provider? What was the netblock being 'blocked'?
MartRe: (Score:2)
Bullshit. SPE
Re: (Score:2)
SPEWS is bad. SORBS isn't horrible. The problem with many block lists is that they are, more o
Re: (Score:2)
Re: (Score:2)
BadAnalogyGuy, is that you?
SURBL (Score:5, Informative)
Employing it enables your spam software to block emails that have matching blocked urls in the message body.
I have not gotten any false positives with it and it blocks a ton of nasty phishing stuff in addition to the usual SpermaMAXX crap.
Expect many false positives (Score:4, Informative)
Blacklists and whitelists are useful, but I wouldn't use them as the sole indicator of whether or not an email is spam.
Re: (Score:2)
Re: (Score:3, Informative)
Spamhaus claims to not do this... the only time they list IPs that are not spam sources are pre-emptively when a spammer on their ROKSO list gets an account, and sometimes ISP's corporate mail servers (not the customers' ones, and not customer machines).
SORBS should be shut down. (Score:5, Interesting)
Re: (Score:3, Interesting)
Re:SORBS should be shut down. (Score:4, Insightful)
Re: (Score:2)
He's free to use the tools he likes to do the job. It's his mail server folks are trying to talk to. He's free to reject whoever he wants and for whatever reason.
Re: (Score:2)
Of course if his ISP is incapable of SWIP'ing them properly, this is hardly the fault of SORBS.
Re: (Score:2)
Sorry, but you are wrong, SORBS is untrustworthy. (Score:3, Interesting)
I have tried telling the idiots that they are wrong, but to no avail.
It's really a problem that people trust such a bunch of retards, because it's hard for the administrators of the mail servers to know if important mail is being blocked, very hard for users to know and even more impossible for users to smack some sense into the the head of the fool who runs their mail server.
What I have done in stead of using the static and poorl
Re: (Score:2)
That's what rDNS is for. If it's not working, they should contact their isp.
Re: (Score:2)
wah wah wah... (Score:2)
Re: (Score:2)
I agree with this assessment. SORBS is one of those spam fanatical groups that should be convinced they need a regime change. They are way too aggressive.
One RBL list that I was using briefly because of false positives still had an interesting approach. They blocked anyone who was reported as delivering spam for 45 minutes and then removed from the list. Problem for me what they blocked my mailing lists that I subscribe too.
They should never report mailing lists as sending spam. The mailing lists are
Re: (Score:2)
I object to SORBS on ideological grounds - that its fee for delisting is about as close as you can get to extortion without actually breaking the law.
It is also frighteningly easy to get listed. They look after a number of 'secret
Orange = Wanadoo (Score:5, Informative)
Re: (Score:3, Informative)
Re: (Score:2, Informative)
But pretty much EVERY ISP is spam-friendly (Score:3, Interesting)
The problem with this argument is, as usual, collateral damage. While there may be a spammer using Wanadoo somewhere, there are also many legitimate users who will be caught in the blast radius.
Before anyone replies with the usual holier-than-thou "Well they should change their ISP then", please consider that this is not trivial for a lot of people. Moreover -- and here's the real kicker -- pretty much every ISP is "spam-friendly" because, as the recent spam wave has demonstrated all too clearly, pretty m
it's not the providers job to delist themself (Score:2, Insightful)
but if you think your users would pressure some admin so they get back to you,
that is keeping mails hostage and not an acceptable practice.
if you do that, it is not part of the solution, it is part of the problem.
Use spam assassin with more that one RBL (Score:4, Insightful)
I keep the weightings quite low since I find most of the RBLs too agressive - added to the bayes and other checks however it is quite good at pushing spam into the right destination (and for the very spammy thats
True this means I actually have to receive and process the mail rather than just arbitarily ignoring connections, but my mail server doesn't really get that much traffic as its only personal use.
Re:Use spam assassin with more that one RBL (Score:5, Informative)
Re: (Score:2)
That's elegant. Can you share?
Re: (Score:2)
Yes, combination techniques are definitely the way to go. Any one RBL (or content test for that matter) can be fooled or make a mistake. Fooling many such tests or accidentally hitting all of them is much less likely.
Looking at the filtered headers for a system I admin, which catches nearly all incoming spam and very rarely (perhaps once in six months) gets any false positives, the vast majority of the real spam is picked up by several RBLs, and then fails several of the content tests as well.
There is s
Freedom2Surf (Score:4, Interesting)
They're currently allegedly trying to extort money from a UK ISP Freedom2Surf (sadly now part of the Pipex group).
By default SORBS apparently block all dynamic IP's. For some strange reason they've deemed that 8192 IP's that are actually in the F2S static range are dynamic because the reverse DNS includes the IP address.
I've heard that they want $50 per IP to unblock them. They wont even talk to users who have static IP address in that range to get the block lifted.
Re: (Score:2)
Answered by editor (Score:2)
That about sums it up.
SORBS should be avoided at all costs (Score:4, Informative)
Large netblocks will be repeatedly put onto one of their lists if they dont comply with the founder/main admin's idea of how reverse dns should be configured. They will list IP blocks that dont conform to an RFC that funnily enough, he wrote.
Getting in contact with them in any reasonable timeframe is damn near impossible in any timely manner.
Primary/Secondary SMTP servers of ISP's will often by listed as part of their blanket block approach.
They continually block whole IP ranges that are statically assigned, often automatically with seemingly no human oversight. There can be found many complaints on assorted web forums across the net, especially australian, full of people trying to figure out why they were listed on one of the sorbs lists, and how to be removed.
Almost all of the issues i have run into with SORBS dont seem to have anything to do with eliminating spam, more to do with pushing the founders RFC for reverse lookups. Comply, and you are free from hassle forever. Fail to comply, and face loosing SMTP access to any providers using SORBS for anythere from a day to over a week.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
An RFC is a Request For Comments. It's a suggestion that may or may not become standard practice. It's in no way "law". It's up to software writers and administrators whether or not to implement them. Now, you have some choices... my own sendmail server ignores connections from hosts that don't have full compliance with RFC 821, for example. That's basic greylisting. But his suggested RFC has not passed into canon by any stretch.
Re: (Score:2)
Linked here [ietf.org]
There is absolutely no chance of this becoming an RFC. It's utterly facile.
SORBS!!! I'd like to ABsorb the so-and-so's!!! (Score:5, Interesting)
If you visit their site their tag line says "Fighting spam by finding and listing Exploitable Servers." This really should read "Exploiting small businesses through a cash for delisting scam".
Oh, and I forgot to mention, I've been told that the two major Australian ISP's who use SORBS just happen to form part of the "group of companies as a private venture" that make up SORBS. Interesting huh?
Re: (Score:3, Informative)
Re: (Score:2)
That's a very shortsighted view. We had defamation laws for a reason, and that reason is that while sticks and stones will break your bones, words most certainly can hurt you as well. I don't see why the actions of SORBS -- which sound like a pretty obvious protection racket looking at the comments in this thread -- wouldn't lead to a very fast court case with a very negative result for the operators of SORBS.
Re: (Score:2)
Truth is proof against defamation.
Re: (Score:2)
How do you figure that out?!
If I'm in danger of successfully suing one company, do you think the other companies in the same industry are going to line up with signs saying "Sue us too!"?
Re: (Score:2)
I'd say a little of column a, a little of column b.
I mean, sure, most of the blacklists say 'Hey, don't use this to reject mail completely!' They generally, however, go on to say '*wink wink* if you really want to, though, here's a config file snippet to drop into your mail config. *wink wink*.
Re: (Score:2)
Well, there's your problem right there! Most people don't really like legal threats, and amongst the more fanatical anti-spammers, they're quite the source of amusment. I submit for your consideration the cart00ney.org blacklist [surriel.com], which is an RBL specifically for listing people that send legal threats to blacklist operators. I also suggest that you search Google Groups' archive of NANAE for 'Matthew Sullivan' and 'cart00ney', because I'm sure your threat got a go
SpamHaus, SPEWS and SpamCop (Score:4, Informative)
For a few years now, I'm using three RBL's to filter the incoming mails on our mail server, which hosts a few small-sized customers and some personal domains. The RBL's I use are: SpamHaus, SPEWS and SpamCop. We have set them up in sequence, so that a mail caught by one is not passed to the following anymore.
Looking at two days ...
... it shows the trend I've seen over this time: SpamHaus does a great job for me and we haven't received any complaints from the customers concerning people not able to contact them.
Given these (poor-man's statistics) it seems that SPEWS is of little use to us. SpamHaus catches most of the problems. Maybe even if we switched SPEWS' and SpamCop's order, we might see that the latter would be able to catch those mails now caught by the former. It's surely something we're going to try.
On the other hand, it might very well be that SPEWS would catch also all SPAM caught by SpamHaus. Reversing the current order might be a nice test before we come to any real conclusions on which RBL to drop ;-)
The (current) bottom line: For us, SPEWS isn't causing any problems, but also doesn't help us that much. SpamHaus seems to be a great RBL source and SpamCop seems to be a nice addition.
But it doesn't stop all SPAM.
Re: (Score:2)
(FYI: In the interest of full disclosure, I work for IntelliContact)
I would suggest staying away from it (Score:2)
I tried it for 2 weeks around the time when SpamHaus futu
SORBS? (Score:2, Insightful)
On the other hand, getting a blacklist like this, doesn't seem to solve your problem: getting less SPAM. Do you think spammers don't have enough mo
sbl-xbl (Score:5, Informative)
sorbs is one the best blacklists out there (Score:3, Informative)
1. Only the owner of the adress space may contact them, as listed in one of the five RIR databases (RIPE, ARIN etc). We always use abuse@isp.com, because this is a known adress in RIPE.
2. The IP adress must be known as static and have a PTR-record stating it is static (mail.domain.com is acceptable).
3. It must have a correct A-record.
4. The TTL in of the A-record must be 86400 sec.
If you contact them in the way they wish to be contacted (just read their website, it's not that hard), they will delist you in 24-48 hours. However, if you aren't the owner of the adress space or the simple rules are not followed, your request wil be ignored. Everyone who thinks they can't get through to sorbs just isn't reading their guidelines, it's that simple.
Re: (Score:3)
So far in my experience RBLs have an unacceptably high false positive rate because of the way most of them work - they go by IP _ranges_.
My email provider doesn't block spam for me, they just give it a spam ranking. I then run my email through a bayes filter, if the ISP's ranking is high enough for my comfort or the bayes thingy thinks it's spam, then it's spam.
So far I've noticed only a few false positives (I scan very quickly
Re: (Score:3)
Maybe a change of tactics is in order. (Score:4, Informative)
SpamHaus (Score:4, Interesting)
We actively discourage people from using SORBS. Even if they were more accurate, their removal policy is extortion.
Any of the other blacklists out there I would recommend only as part of a scoring algorithm. Most are fairly cavalier about blocking entire netblocks even if the problem is isolated, most have no automatic aging of entries, many have poor delisting policies or are slow to respond and the false positive rates tend to vary from ok to abysmal (SpamCop, for example, doesn't seem to know the difference between a bounce message and a piece of spam... though to their credit they are fairly good about removals and provide a feedback loop so you at least know when they've tagged a message as spam).
Re: (Score:2)
Blacklists are so 2004 (Score:4, Informative)
Just say "no" (Score:2)
Ah, well.
No one takes them seriously (Score:4, Interesting)
My own fun story is that they went on to my web site and subscribed their spamtraps to my opt-in email list. I didn't double-confirm, so I guess its my fault that they scammed me. SORBS then used the emails emitted from that single IP address to justify blocking 8,192 of my ISP's email addresses.
Every other RBL maintainer has found my list to be clean. The only non-SORBS problem I've had with an RBL was with Spamcop. That was immediately resolved when the only folks who responded to further inquiry apologized for reporting the list mail by mistake.
URIBLs are great (Score:2)
Wrong Layer (Score:2, Insightful)
Blacklists are bad, mmmkay (Score:2)
Blacklists do have a use, however. Use them with something like SpamAssassin. Rather than reject mail based on the list, just add points to the score.
My experience with SORBS (Score:2)
To get de-listed you had to meet a couple requirements. You had to have an MX record as a hostname (pretty much the standard). You had to have a reverse DNS or PTR record for the address. I used their ticket logging system to send them a compelling argument, and the whole Class C was fi
CBL - Composite Block List (Score:2)
As an aside, if you're being flooded with the stock spams, implement a filter to silently drop mails with a message-ID containing "6c822ecf"
No such thing as a "better" blacklist... (Score:2)
Blacklists are (nearly) useless. (Score:2)
91 Relay access denied
135 http://www.spamhaus.org/SBL/sbl.lasso [spamhaus.org]?
2306 http://www.spamcop.net/bl.shtml [spamcop.net]?
4364 greylist expired 6007 Sender address rejected
41144 Helo command rejected
117479 Recipient address rejected
As you can see, the most common hit is trawling for valid names. Second most common hit is people claiming to be the domain they're sending to. we've got postfix set to say 'F off' to any machine that lies in HELO, fail
Re: (Score:2)
Re: (Score:2)
Any scoring algorithm that relies only on the sending server IP address, HELO data, MAIL FROM, and RCPT TO can be done prior to DATA. There are plenty of tools that implement an SMTP server front-end and do scoring at this level, and blocking based on the score.
Re: (Score:2)
That is because e-mail is an inherently broken set of protocols that were designed in the 70's as a hack to implement a store and forward message system on the old ARPAnet. If the e-mail industry spent the same amount of effort on engineering a next generation set of e-mail protocols and authentication methods that they spend on hacks like black hole lists, w
Re: (Score:2, Insightful)
I think your right on the mark though with the pharmacy analogy. We were able to implement SMTP to ESMTP quite easily so it shows people can definitely implement changes in protocols.
I also vote with people who think black hole lists are pretty much useless these days because they swallow up so many innocent people/organizations.
It would be nice to have an open source barracuda ( http://www.barracuda [barracudanetworks.com]
Re: (Score:2)
Nothing about integrating public key crypto (or other signing technologies) into the e-mail infrastructure eliminates the ability to send anonymous e-mail. But it DOES make it a certainty that you can identify anonymous or fraudulent e-mail and reject it at the protocol level if you choose to do so. The lack of a pervasive authenticated e-mail infrastructure is the only reason spam exists. If the se
Re: (Score:2)
Let them choose something else. The spammers broke email.
It's not like one can't just sign up on one of a zillion webmail accounts anyway.
Re: (Score:2)
These have been around for several years, but the uptake of TLS/SSL aware SMTP servers has been slow, and the adoption of signed/secure email has also been very slow. The first problem lies mostly with mail server admins, because setting up even self-signed certs is time-consumi
Re: (Score:2)
X.400 was tried. No one wants it. Rather than assert that a sprinkling of magic PKI fairy dust will fix everything, why don't you actually detail the problem?
And I've said it before: The problem is not a technical one. Any ISP that actually gives enough of a shit to roll out such drastic revamps of their entire email i