Forgot your password?
typodupeerror
Spam

SORBS - Is There a Better Spam Blacklist? 226

Posted by Cliff
from the blacklists-in-general-are-like-this dept.
rootnl asks: "Recently I decided to upgrade my email server with better spam detection and decided to use the SORBS blacklist. It is a very aggressive blacklist and could be deemed quite effective. However, I discovered two totally legal servers currently being blocked by their Spam 'o Matic service: a Google Gmail server (64.233.182.185), and another server belonging to an ISP called Orange (193.252.22.249). Now, normally one would think these providers would probably get themselves de-listed, but the process provided revolves around donating money. As I just happen to have a friend that is using the said ISP, I have to seriously reconsider using SORBS. What is your experience with SORBS? If you have alternatives, what would you suggest as a better blacklist service?"
This discussion has been archived. No new comments can be posted.

SORBS - Is There a Better Spam Blacklist?

Comments Filter:
  • Dunno about better (Score:5, Informative)

    by melonman (608440) on Friday January 05, 2007 @05:00AM (#17470940) Journal

    But avoid SPEWS like the plague. They have a wonderful policy of blacklisting entire 16-bit IP ranges because one machine in an enormous server park has been used to send spam.

    They know this causes massive collateral damage to machines administrated by totally independent companies, many of them small and liable to suffer severe hardship because of this arbitrary action. That's precisely the idea: they keep hurting non-spammers to make them lobby the server parks to deal with the spammers.

    Unless you think that kidnapping children and refusing to return them unless their parents fight the mafia for you is an ethical law-enforcement policy, SPEWS is obviously far far worse than the problem they are allegedly attempting to solve.

    • by Brightest Light (552357) on Friday January 05, 2007 @05:22AM (#17471038) Journal
      What exactly is an RBL operator supposed to do about large server parks that simply do not give a shit about the spammers residing on their network? What do you do about networks that actively aid spammers by moving them around and around to clean IP space as they're blacklisted? Playing IP whack-a-spammer went out of fashion years ago, and obviously asking politely doesn't work. Yeah, finding your ISP listed on SPEWS sucks, because there's no real way to contact them; though you can beg in NANAE and NANABL for the entertainment of the wannabe 'spam-fighters' till you're blue in the face -- but if your ISP does not care about the fact that one of their customers is stealing bandwidth, CPU cycles, and time from other people and their ISPs, what else can SPEWS do about it? My understanding of the SPEWS escalation process is that they notify the ISP about the spammer on their network, and then if nothing is done, they list the surrounding IP blocks in an ever-increasing fashion. Meaning if the ISP simply does not care that there's a spammer on their network, they are made to care by virtue of their entire netspace being (eventually) listed. What else *can* an RBL operator do when the ISP does not listen or care? I ask this as a serious question. IANASFBFNANAE (I am not a SPEWS fan boy from NANAE) - in fact, I don't directly use RBLs any longer.
      • by Scarblac (122480)
        What they can do is list the IPs from which spam has originated. Period. That's what they're supposed to do.
        • by Pig Hogger (10379)

          What they can do is list the IPs from which spam has originated. Period.

          And you will have as much spam as before.

          Spam-friendly ISPs will regularly give different Ip addresses to spammers.

          SPEWS stands for SPam Early Warning System. That is, it BLOCKS spam BEFORE it leaves the network, in anticipation of the ritual spammer IP address change. And that can only be achieved by listing the whole IP range of the spam-friendly ISP.

          • by nuzak (959558)
            Spam Prevention Early Warning System, actually.

            And while their listing expansion policy has always been pretty zealous, the best thing SPEWS had going for it was its evidence files, containing sample spam and WHOIS information. I speak in the past tense because they're always woefully out of date these days, and the information is worse than nothing when you have to look at it then hit whois to see who the REAL owners are now. I don't think any mail admin seriously uses SPEWS anymore except as a very mino
        • by LurkerXXX (667952)
          No, that's what YOU think they are supposed to do. Myself, I like to know what asshole ISPs are out there that like to host spammers and give them a new IP every day, and just block the whole crappy ISP. If you want your mail to get to my mail server, start using another ISP with ethics, otherwise I'm just going to bounce everything you send because I'm tired of dealing with all the crud from your ISP. That's what I want them to do. :)
      • by Ed Avis (5917)
        It's not the RBL's job to fight spam, only to give an honest estimation of how likely a particular IP address is to be a spammer. People can then use this to configure their mail system to filter out most spam and let through most legitimate mail.

        If SPEWS feel the need to punish ISPs for their behaviour, they need two classes of blacklist: one that says 'this address sends spam', and one that says 'this address probably isn't a spammer, but it belongs to a Bad Network'. Then let users choose for themselve
        • Re: (Score:3, Informative)

          by mvdwege (243851)
          If SPEWS feel the need to punish ISPs for their behaviour, they need two classes of blacklist: [...]

          People would take you a lot more seriously if you would do your homework before making bold statements.

          Hint: try reading the SPEWS FAQ and looking at the database before spouting off.

          Mart
      • by Lost Race (681080) on Friday January 05, 2007 @06:52AM (#17471488)

        SPEWS is probably not relevant any more. There have been no changes to the published DNSBL zones since 2006-08-24; apparently the database is no longer being maintained.

      • by fractalus (322043)
        What's you're supposed to do is suck it up and take it like a man.

        Let me explain. You have to decide what it is you're trying to accomplish as a blacklist operator. Are you trying to advise people of spam sources? Or are you trying to punish spammers and their friends?

        If you're just trying to advise people of spam sources, so that they can choose not to receive mail from spammers, then do just that. List spam sources, and stop there. Mission accomplished, although spammers will move around and you'll have t
        • by LurkerXXX (667952)
          Don't like that? Don't run a blacklist.

          Wow, I'm glad they have you to tell them how they have to run a blacklist.

          FYI, some ISPs give spammers new IP addresses every day. IMO there's just one way that should be dealt with, block the ISP entirely. There's no need to take in new spam every day until you catch that day's list of IPs from that ISP. Just blocking the ISP is much more efficient. If there is collateral damage, that's the fault of the crappy ISP.

          Don't like how they run their blacklist? Tough.
      • by iangoldby (552781)

        What exactly is an RBL operator supposed to do about large server parks that simply do not give a shit about the spammers residing on their network?

        The original post explained why the end does not justify the means. You 'counter' it by insisting that since you can't think of anything better the end does justify the means. Welcome to rational debate.

        Not that I'm blaming you - and you did say that you don't use RBLs anymore.

        Perhaps since there is no 'rational' answer to this question of priorities, the best s

        • Actually, I was not attempting to 'counter' or debate anything. I asked a simple question. Welcome to third-grade reading comprehension.

          At no point did I suggest that the ends justified the means, I merely asked what alternatives an RBL operator has when faced with an ISP that knows, but does not care that spammers reside on and operate from their network. What precisely *are* they supposed to do? Playing whack-a-spammer by only listing IPs that send spam does not work when there are ISPs that actively ai
    • by Pig Hogger (10379)

      But avoid SPEWS like the plague. They have a wonderful policy of blacklisting entire 16-bit IP ranges because one machine in an enormous server park has been used to send spam.
      They know this causes massive collateral damage to machines administrated by totally independent companies, many of them small and liable to suffer severe hardship because of this arbitrary action. That's precisely the idea: they keep hurting non-spammers to make them lobby the server parks to deal with the spammers.

      Bullshit. SPE

    • by Tinfoil (109794) *
      My current employer was listed on SPEWS for this very reason. However, my provider did deal with the issue in a very quick and timely manner, IMHO, by shutting down the spammers account within 24 hours of my bringing it to their attention, but SPEWS took their damned time removing the block. It caused some rather large headaches for a week or two as our primary vendor supplying 80% of our stock was utilizing SPEWS.

      SPEWS is bad. SORBS isn't horrible. The problem with many block lists is that they are, more o
    • by mrmeval (662166)
      The server park can deal with the asshat spammer or lose business.
    • by nuzak (959558)
      > Unless you think that kidnapping children and refusing to return them unless their parents fight the mafia for you is an ethical law-enforcement policy,

      BadAnalogyGuy, is that you?
  • SURBL (Score:5, Informative)

    by tootired (91527) on Friday January 05, 2007 @05:13AM (#17470988) Homepage
    SURBL is a URL blacklist.

    Employing it enables your spam software to block emails that have matching blocked urls in the message body.

    I have not gotten any false positives with it and it blocks a ton of nasty phishing stuff in addition to the usual SpermaMAXX crap.
  • by dtfinch (661405) * on Friday January 05, 2007 @05:19AM (#17471018) Journal
    All the blacklists I know have a tendency to block entire ISPs rather than just the ranges known to generate spam, if they think the ISP isn't taking sufficient action against its spammers or spambot infected customers.
    Blacklists and whitelists are useful, but I wouldn't use them as the sole indicator of whether or not an email is spam.
    • by dtfinch (661405) *
      Pretend I said "blacklist" instead of "block", since the lists don't do the blocking.
    • Re: (Score:3, Informative)

      by mutterc (828335)

      Spamhaus claims to not do this... the only time they list IPs that are not spam sources are pre-emptively when a spammer on their ROKSO list gets an account, and sometimes ISP's corporate mail servers (not the customers' ones, and not customer machines).

  • by finchwizard (889672) on Friday January 05, 2007 @05:19AM (#17471022)
    I'm sorry but SORBS should be shut down. The amount of time I myself and many colleagues have managed to get onto SOBS because we were classed as a dynamic IP range, despite having blocks of IP's and it's extremely hard to get off it. I understand blocking people with Open relay servers, but being in a dynamic range, which can mean IP's being assigned to you from your ISP is a joke. Everyone should be boycotting these guys, two of the large ISP's in Australia use these guys to filter out spam, and are being blocked by small business's and Education. I've never posted comments on Slashdot yet, but this is one I feel very strongly on, and SORBS should be avoided at all costs. If they deem you a Spammer, despite proving to them you are not, they still reserve the right to keep you on the list and completely screw over your business.
    • Re: (Score:3, Interesting)

      by CowboyBob500 (580695)
      I use SORBS precisely because they block dynamic IP ranges. 99% of spam comes from trojaned machines on dynamic IPs and I find this extremely effective at blocking spam. If your mailserver lives on a dynamically assigned IP then that is your problem. In my opinion a mail server should ALWAYS be on a static IP - I view it as a sign of a trusted mail server. If your ISP can't provide this, then you need to change your ISP. I'm sorry, but I have absolutely no sympathy in this situation. There is no reason for
      • by finchwizard (889672) on Friday January 05, 2007 @05:35AM (#17471106)
        All 30 IP's I rent are Static, and that has never changed over the years I've owned them, my servers are also running Linux and are very secure with both Spamassassin and ClamAV scanning, as well as blocking certain mimetypes. So don't give me dynamic IP range stuff, I was lucky that my ISP managed to straighten them out, but I've had friends that aren't as lucky. Of course SORBS is going to block a high rate of spam, it's also blocking a lot of legitimate people, and the fact they are extorting people to get off the list is ludacris.
        • by LurkerXXX (667952)
          I use spamd and RBLs and don't have to waste CPU cycles on Spamassasin, so don't give me any of this dynamic IP ranges are ok stuff...

          He's free to use the tools he likes to do the job. It's his mail server folks are trying to talk to. He's free to reject whoever he wants and for whatever reason.
          • by nuzak (959558)
            I don't think you're reading the GP properly. He claims his IPs are static.

            Of course if his ISP is incapable of SWIP'ing them properly, this is hardly the fault of SORBS.

        • by dodobh (65811)
          Just set reverse DNS up correctly. Then contact SORBS.
      • Well, I have a number of servers on static IPs that SORBS think are dynamic.

        I have tried telling the idiots that they are wrong, but to no avail.

        It's really a problem that people trust such a bunch of retards, because it's hard for the administrators of the mail servers to know if important mail is being blocked, very hard for users to know and even more impossible for users to smack some sense into the the head of the fool who runs their mail server.

        What I have done in stead of using the static and poorl
    • by c_g_hills (110430)
      SORBS does not block anybody. It is simply a tool used by postmasters to make decisions about what messages they wish to accept.
      • SORBS claim they list dynamic addresses, but they clearly don't and they don't care about fixing the problem.
    • by tacocat (527354)

      I agree with this assessment. SORBS is one of those spam fanatical groups that should be convinced they need a regime change. They are way too aggressive.

      One RBL list that I was using briefly because of false positives still had an interesting approach. They blocked anyone who was reported as delivering spam for 45 minutes and then removed from the list. Problem for me what they blocked my mailing lists that I subscribe too.

      They should never report mailing lists as sending spam. The mailing lists are

    • by iangoldby (552781)
      I don't think anyone who administers email on behalf of others should use SORBS. If you use the SORBS lists to block email, some legitimate email will be blocked. You can only really justify use of SORBS in this way if everyone affected understands and is happy with this situation.

      I object to SORBS on ideological grounds - that its fee for delisting is about as close as you can get to extortion without actually breaking the law.

      It is also frighteningly easy to get listed. They look after a number of 'secret
  • Orange = Wanadoo (Score:5, Informative)

    by grahamm (8844) <gmurray@webwayone.co.uk> on Friday January 05, 2007 @05:22AM (#17471034) Homepage
    Orange is part of Wanadoo who are known to be both spam friendly and to host spamvertised web sites. So maybe listing Orange is not such a bad idea.
    • Re: (Score:3, Informative)

      by Ksempac (934247)
      First Wanadoo doesnt exist anymore. Second Orange has never been part of Wanadoo. Wanadoo was the ISP branch of France Telecom (the main phone company in France), who bought the British mobile phone company Orange. Then they decided to merge all their mobile phones/ISP services in Europe (including Wanadoo and Orange, but also many others) into one single company called Orange [wikipedia.org]. Third, before saying some company is spam friendly, you should get some reliable source.
      • Re: (Score:2, Informative)

        by grahamm (8844)
        If you do a 'whois' search on the IP address given for the 'Orange' ISP it shows the owner as being Wanadoo Netherlands.
    • The problem with this argument is, as usual, collateral damage. While there may be a spammer using Wanadoo somewhere, there are also many legitimate users who will be caught in the blast radius.

      Before anyone replies with the usual holier-than-thou "Well they should change their ISP then", please consider that this is not trivial for a lot of people. Moreover -- and here's the real kicker -- pretty much every ISP is "spam-friendly" because, as the recent spam wave has demonstrated all too clearly, pretty m

  • if you run a anti spam filter, it is your job to make sure your data is accurate.
    but if you think your users would pressure some admin so they get back to you,
    that is keeping mails hostage and not an acceptable practice.

    if you do that, it is not part of the solution, it is part of the problem.
  • by simm1701 (835424) on Friday January 05, 2007 @05:25AM (#17471050)
    I prefer to use spam assassin and use a couple of RBLs with various weightings on each.

    I keep the weightings quite low since I find most of the RBLs too agressive - added to the bayes and other checks however it is quite good at pushing spam into the right destination (and for the very spammy thats /dev/null)

    True this means I actually have to receive and process the mail rather than just arbitarily ignoring connections, but my mail server doesn't really get that much traffic as its only personal use.
    • by Zocalo (252965) on Friday January 05, 2007 @06:01AM (#17471222) Homepage
      To extend on that I also have a META rule set up to handle DNSBLs in SpamAssassin that adds some additional points based on how many RBLs each IP address has hit. A server on one DNSBL may be a false positive or an over aggressive listing, but if it's on three or four then it's almost certainly spam and gets an extra couple of points towards being classed as spam. If it matches five or more, then it gets an instant +50 file in the mailbox "/dev/null" score.
    • Yes, combination techniques are definitely the way to go. Any one RBL (or content test for that matter) can be fooled or make a mistake. Fooling many such tests or accidentally hitting all of them is much less likely.

      Looking at the filtered headers for a system I admin, which catches nearly all incoming spam and very rarely (perhaps once in six months) gets any false positives, the vast majority of the real spam is picked up by several RBLs, and then fails several of the content tests as well.

      There is s

  • Freedom2Surf (Score:4, Interesting)

    by Phil John (576633) <phil@webstarslt d . c om> on Friday January 05, 2007 @05:28AM (#17471064)

    They're currently allegedly trying to extort money from a UK ISP Freedom2Surf (sadly now part of the Pipex group).

    By default SORBS apparently block all dynamic IP's. For some strange reason they've deemed that 8192 IP's that are actually in the F2S static range are dynamic because the reverse DNS includes the IP address.

    I've heard that they want $50 per IP to unblock them. They wont even talk to users who have static IP address in that range to get the block lifted.

    • by ahodgson (74077)
      Why would they? I don't even need SORBS to tell me that reverse addresses with dotted quads in them are block-on-sight.
  • "from the blacklists-in-general-are-like-this dept."
    That about sums it up.
  • by Anonymous Coward on Friday January 05, 2007 @05:56AM (#17471202)
    Several reasons why:
    Large netblocks will be repeatedly put onto one of their lists if they dont comply with the founder/main admin's idea of how reverse dns should be configured. They will list IP blocks that dont conform to an RFC that funnily enough, he wrote.

    Getting in contact with them in any reasonable timeframe is damn near impossible in any timely manner.
    Primary/Secondary SMTP servers of ISP's will often by listed as part of their blanket block approach.

    They continually block whole IP ranges that are statically assigned, often automatically with seemingly no human oversight. There can be found many complaints on assorted web forums across the net, especially australian, full of people trying to figure out why they were listed on one of the sorbs lists, and how to be removed.

    Almost all of the issues i have run into with SORBS dont seem to have anything to do with eliminating spam, more to do with pushing the founders RFC for reverse lookups. Comply, and you are free from hassle forever. Fail to comply, and face loosing SMTP access to any providers using SORBS for anythere from a day to over a week.
    • by Pig Hogger (10379)
      Large netblocks will be repeatedly put onto one of their lists if they dont comply with the founder/main admin's idea of how reverse dns should be configured. They will list IP blocks that dont conform to an RFC that funnily enough, he wrote.
      If it's in an RFC, it's the law.
      • by sparks (7204) *
        This is categorically not true. An RFC is a request for comments. A suggestion. That's all. No one is required to comply with anything in an RFC.
      • by KillerBob (217953)
        Is that so? [ietf.org]

        An RFC is a Request For Comments. It's a suggestion that may or may not become standard practice. It's in no way "law". It's up to software writers and administrators whether or not to implement them. Now, you have some choices... my own sendmail server ignores connections from hosts that don't have full compliance with RFC 821, for example. That's basic greylisting. But his suggested RFC has not passed into canon by any stretch.
    • by sparks (7204) *
      It's not even an RFC. It's a badly written and expired draft.

      Linked here [ietf.org]

      There is absolutely no chance of this becoming an RFC. It's utterly facile.

  • by Anonymous Coward on Friday January 05, 2007 @05:57AM (#17471206)
    I have a fixed IP address provided by my ISP. I run my own servers and have done for nearly 10 years. My servers are not now, and have never been Open Relay. I have run every possible test to make sure that is the case. SORBS, in their infinite wisdom, deem my address to be dynamic because it is part of a permanently leased dynamic range, so they block me, and therefore I cannot send email to anyone using two of the major ISP's in Australia. I have emailed sorbs and asked them to check my server. No response. I have spoken to the Telecommunications Industry Ombudsman in Australia, who tell me they can't do anything, that I should talk to "The Australian Communications and Media Authority", but if you are to check the SORBS site it specifically mentions that "The Australian Communications and Media Authority" have no influence over them at all. I have threatened SORBS with legal action. No response. Basically, they don't care less that I can't send email to the majority of Australia's internet users, because I won't donate money to them.

    If you visit their site their tag line says "Fighting spam by finding and listing Exploitable Servers." This really should read "Exploiting small businesses through a cash for delisting scam".

    Oh, and I forgot to mention, I've been told that the two major Australian ISP's who use SORBS just happen to form part of the "group of companies as a private venture" that make up SORBS. Interesting huh?
    • Re: (Score:3, Informative)

      by Pig Hogger (10379)
      so they block me, and therefore I cannot send email to anyone using two of the major ISP's in Australia. I have emailed sorbs and asked them to check my server.
      You're shooting at the wrong duck. You're not being blocked by SORBS, but by the "two major ISPs in Australia". Your beef is with them, not SORBS.
      • That's a very shortsighted view. We had defamation laws for a reason, and that reason is that while sticks and stones will break your bones, words most certainly can hurt you as well. I don't see why the actions of SORBS -- which sound like a pretty obvious protection racket looking at the comments in this thread -- wouldn't lead to a very fast court case with a very negative result for the operators of SORBS.

        • by Pig Hogger (10379)
          We had defamation laws for a reason, and that reason is that while sticks and stones will break your bones, words most certainly can hurt you as well. I don't see why the actions of SORBS
          There is nothing defamitory there. SORBS says that spam comes from such-and-such range, and they have samples to prove it.

          Truth is proof against defamation.

      • I'd say a little of column a, a little of column b.

        I mean, sure, most of the blacklists say 'Hey, don't use this to reject mail completely!' They generally, however, go on to say '*wink wink* if you really want to, though, here's a config file snippet to drop into your mail config. *wink wink*.

    • I have threatened SORBS with legal action.

      Well, there's your problem right there! Most people don't really like legal threats, and amongst the more fanatical anti-spammers, they're quite the source of amusment. I submit for your consideration the cart00ney.org blacklist [surriel.com], which is an RBL specifically for listing people that send legal threats to blacklist operators. I also suggest that you search Google Groups' archive of NANAE for 'Matthew Sullivan' and 'cart00ney', because I'm sure your threat got a go
  • by christophe.vg (742168) on Friday January 05, 2007 @06:19AM (#17471316) Homepage

    For a few years now, I'm using three RBL's to filter the incoming mails on our mail server, which hosts a few small-sized customers and some personal domains. The RBL's I use are: SpamHaus, SPEWS and SpamCop. We have set them up in sequence, so that a mail caught by one is not passed to the following anymore.

    Looking at two days ...

    01/01/07
    total mails processed : 1432
    considered non-spam : 719 (50.21%)
    total number of blocks : 713 (49.79%)
    spamhaus : 630 (88.36%)
    spews : 2 ( 0.28%)
    spamcop : 81 (11.36%)

    01/01/06
    total mails processed : 381
    considered non-spam : 155 (40.68%)
    total number of blocks : 226 (59.32%)
    spamhaus : 191 (84.51%)
    spews : 31 (13.72%)
    spamcop : 4 ( 1.77%)

    ... it shows the trend I've seen over this time: SpamHaus does a great job for me and we haven't received any complaints from the customers concerning people not able to contact them.

    Given these (poor-man's statistics) it seems that SPEWS is of little use to us. SpamHaus catches most of the problems. Maybe even if we switched SPEWS' and SpamCop's order, we might see that the latter would be able to catch those mails now caught by the former. It's surely something we're going to try.

    On the other hand, it might very well be that SPEWS would catch also all SPAM caught by SpamHaus. Reversing the current order might be a nice test before we come to any real conclusions on which RBL to drop ;-)

    The (current) bottom line: For us, SPEWS isn't causing any problems, but also doesn't help us that much. SpamHaus seems to be a great RBL source and SpamCop seems to be a nice addition.

    But it doesn't stop all SPAM.

    • If you're using SpamCop, you will get hit with some false positives. SpamCop's list is agressive, and lots of innnocent servers get listed in their rbl. Especially if you ever want to recieve emails from people using ESPs (IntelliContact, Vertical Response, Bronto), then don't use SpamCop.

      (FYI: In the interest of full disclosure, I work for IntelliContact)
  • Sorbs blacklists nearly all ISP relays which force their customers to send through them or do transparent SMTP proxying. On the positive side this means that you are not going to get those 1-2 per day annoying Spanish or Dutch lotto scams from orange/freeserve webmail. On the negative side this means that you are not going to get mails from small law abiding businesses like recruitment agencies and such. They also blacklist nearly all lesser webmails.

    I tried it for 2 weeks around the time when SpamHaus futu
  • SORBS? (Score:2, Insightful)

    Orange is not just an ISP. It's a multinational mobile telecom company. http://en.wikipedia.org/wiki/Orange_SA [wikipedia.org]. As far as I know, after they were bought by France Telecom, they moved many their servers to a unique class B adress space. Maybe that address you found is from the old ones, which is not used anymore for mail, so unblocking it doesn't interest them.

    On the other hand, getting a blacklist like this, doesn't seem to solve your problem: getting less SPAM. Do you think spammers don't have enough mo
  • sbl-xbl (Score:5, Informative)

    by Halo1 (136547) <<eb.tnegu.sile> <ta> <ebeam.sanoj>> on Friday January 05, 2007 @06:54AM (#17471496) Homepage
    sbl contains the spamhauses, xbl trojaned boxes/open proxies etc (you can of course also only use one of them). See http://www.spamhaus.org/xbl/index.lasso [spamhaus.org]
  • by cyberfoxz (207499) on Friday January 05, 2007 @08:42AM (#17471994)
    I work at the abuse dept. of a large dutch ISP and we rely heavily on sorbs. When I started working there one of my collegues convinced us that there is no way you could be able to contact sorbs and I thought that to be true. We found out however that it is really not that hard to get in touch with them and if you follow their guidlines, you never have to pay for delisting. The paying part is mainly to scare of spammers delisting adresses they do not own. They use a smal set of totaly acceptable rules to delist adresses from their DUL list (if u use a mailserver on a dynamic adres, go get a static one. If you can't, you should be using your ISP's mailserver). Their rules:
    1. Only the owner of the adress space may contact them, as listed in one of the five RIR databases (RIPE, ARIN etc). We always use abuse@isp.com, because this is a known adress in RIPE.
    2. The IP adress must be known as static and have a PTR-record stating it is static (mail.domain.com is acceptable).
    3. It must have a correct A-record.
    4. The TTL in of the A-record must be 86400 sec.
    If you contact them in the way they wish to be contacted (just read their website, it's not that hard), they will delist you in 24-48 hours. However, if you aren't the owner of the adress space or the simple rules are not followed, your request wil be ignored. Everyone who thinks they can't get through to sorbs just isn't reading their guidelines, it's that simple.
    • by TheLink (130905)
      One of the best? Really? So what's their false positive and false negative rate?

      So far in my experience RBLs have an unacceptably high false positive rate because of the way most of them work - they go by IP _ranges_.

      My email provider doesn't block spam for me, they just give it a spam ranking. I then run my email through a bayes filter, if the ISP's ranking is high enough for my comfort or the bayes thingy thinks it's spam, then it's spam.

      So far I've noticed only a few false positives (I scan very quickly
    • by Thorizdin (456032)
      Sorry, but this is incorrect. SORBS does _not_ make execptions for people who follow the rules, at least not in the 8 tickets that we have had to open with them. They can be contacted via their web site ticketing system, but communication is slow, arrogant, ignorant, and inconsistent. We were able to get delisted once without paying their blackmail, but the next time we were listed they refused to even provide headers so we could locate the offender. Perhaps you were fortunant enough to only have to dea
  • by kunwon1 (795332) * <dave.j.moore@gmail.com> on Friday January 05, 2007 @09:28AM (#17472296) Homepage
    ORDB just shut its doors. From their closing announcement: (emphasis mine)

    We regret to inform you that ORDB.org, at the ripe age of five and a half, is shutting down. It's been a case of a long goodbye as very little work has gone into maintaining ORDB for a while.

    Our volunteer staff has been pre-occupied with other aspects of their lives. In addition, the general consensus within the team is that open relay RBLs are no longer the most effective way of preventing spam from entering your network as spammers have changed tactics in recent years, as have the anti-spam community.

    We encourage system owners to remove ORDB checks from their mailers immediately and start investigating alternative methods of spam filtering. We recommend a combination involving greylisting and content-based analysis (such as the dspam project, bmf or Spam Assassin).

  • SpamHaus (Score:4, Interesting)

    by Wdomburg (141264) on Friday January 05, 2007 @10:15AM (#17472690)
    SpamHaus is the only blacklist that I trust to do straight blocking on. We've been using them for years and have gotten a grand total of two complaints about blocked mail; in both cases the sender was on the XBL because their machine was compomised. Considering our active userbase is in the hundreds of thousands, I'd say that isn't bad at all. :)

    We actively discourage people from using SORBS. Even if they were more accurate, their removal policy is extortion.

    Any of the other blacklists out there I would recommend only as part of a scoring algorithm. Most are fairly cavalier about blocking entire netblocks even if the problem is isolated, most have no automatic aging of entries, many have poor delisting policies or are slow to respond and the false positive rates tend to vary from ok to abysmal (SpamCop, for example, doesn't seem to know the difference between a bounce message and a piece of spam... though to their credit they are fairly good about removals and provide a feedback loop so you at least know when they've tagged a message as spam).
    • by dodobh (65811)
      We use the SORBS dynamic block list in addition to the sbl-xbl. We have about two orders of magnitude more users than you do.
  • by target562 (623649) on Friday January 05, 2007 @10:17AM (#17472714) Homepage
    With the advent of the spam bot networks, blacklists aren't as useful for spam fighting as they used to be. Greylisting + content analysis is currently the way to go; though Spamhaus still does a decent job, but not Spamcop due to their "unsolicited bounces" thing...
  • I support the use of DNSRBLs (not by use alone, but it should augment a content-filtering system,) with the exception of SORBS. I have found it to be far too aggressive, more so than SPEWS. In fact, an ISP with which I partner wound up on SORBS, and during the removal process they discovered that a number of the recommended donation recipients will not accept the donations because of the myriad complaints over the process.

    Ah, well.
  • by Spazmania (174582) on Friday January 05, 2007 @10:42AM (#17473068) Homepage
    At this point, very few people take SORBS seriously. They're inaccurately over-aggressive. If you use it for more than your personal email, you're begging for a lot of user complaints.

    My own fun story is that they went on to my web site and subscribed their spamtraps to my opt-in email list. I didn't double-confirm, so I guess its my fault that they scammed me. SORBS then used the emails emitted from that single IP address to justify blocking 8,192 of my ISP's email addresses.

    Every other RBL maintainer has found my list to be clean. The only non-SORBS problem I've had with an RBL was with Spamcop. That was immediately resolved when the only folks who responded to further inquiry apologized for reporting the list mail by mistake.
  • I'd highly reccomend using some aggressive URIBL filtering -- that way, if someone gets blocked, you can be certain /they/ are the person you wanted to block.
  • Wrong Layer (Score:2, Insightful)

    by jofny (540291)
    The idea of identifying/tracking/blocking content/activity/people at the IP level was always a hack at best and has long since become a complete haphazard solution. Black Lists are a bad idea that's gone on to far. Instead of putting all of that energy into building, maintaining, and implementing those lists on networks, spend some time fixing it at an app protocol or content (auth) level. Yeah, initially a lot of legit mail won't get through - but that's true of black lists as well. I know there are a lo
  • If you reject email based on a blacklist, that's putting an awful amount of trust in the maintainers of the lists. Rejecting email based on a blacklist is always a dumb idea.

    Blacklists do have a use, however. Use them with something like SpamAssassin. Rather than reject mail based on the list, just add points to the score.
  • Somehow, we ended up listed on their dynamic/dial-up list. We were a medium sized business with a /27 subnet in the middle of a Class C amongst several other small businesses. We also had two /24's on two other networks.

    To get de-listed you had to meet a couple requirements. You had to have an MX record as a hostname (pretty much the standard). You had to have a reverse DNS or PTR record for the address. I used their ticket logging system to send them a compelling argument, and the whole Class C was fi
  • I can highly recommend the Composite Block List (CBL), cbl.abuseat.org [abuseat.org]. They seem to have an extremely good handle on trojanned zombie/bot machines. I started using the CBL when the massive pump-and-dump stock spam runs started several months ago, and it's been very effective.

    As an aside, if you're being flooded with the stock spams, implement a filter to silently drop mails with a message-ID containing "6c822ecf" ...
  • Blacklists are like closing the barn doors after the horses have escaped, it's a fundamentally flawed concept. By the time a spam source ends up on a blacklist any spammer worth its salt has already moved on. Combined with the tendency for false positives, it's a cure that's worse than the disease. A "smart" spam filter like SpamBayes is better, but it's not perfect either, and you'll have to keep it in training-- not so easy if you're trying to filter for a whole shop and not just your own personal emai
  • Breakdown of a single day at one of my servers:

    91 Relay access denied
    135 http://www.spamhaus.org/SBL/sbl.lasso [spamhaus.org]?
    2306 http://www.spamcop.net/bl.shtml [spamcop.net]?
    4364 greylist expired 6007 Sender address rejected
    41144 Helo command rejected
    117479 Recipient address rejected

    As you can see, the most common hit is trawling for valid names. Second most common hit is people claiming to be the domain they're sending to. we've got postfix set to say 'F off' to any machine that lies in HELO, fail

Your program is sick! Shoot it and put it out of its memory.

Working...