[Dshield] DOS by Sorbs?
James C Slora Jr
Jim.Slora at phra.com
Thu Dec 22 14:48:18 GMT 2005
On Thu, 22 Dec 2005 12:58:02 +1300 "martin forest" <martin at forest.gen.nz>
> Is it reasonable to be listed on RBL lists for following rfc's?
Yes and no. There are "damned if you do" RBLs such as Sorbs, and there are
"damned if you don't" RBLs such as RFC-ignorant. Anyone who uses an RBL
should check its policies and history out carefully to see it the RBL
maintainers' philosophical and technical approach is compatible with their
> Have many of you had problems with Sorbs?
I have had occasional problems with domains that use Sorbs as a blocklist.
Anyone who sends NDRs will almost certainly get blacklisted from time to
time on various lists. I get about 25,000 legitimate messages per month, and
about 1.7 million spam and virus message attempts almost entirely from fake
addresses. So any NDR I send has around a 98% chance of going to a bogus
sender if triggered before screening, and still maybe a 5% chance if
triggered after screening. Even if you don't send NDRs the sheer worldwide
volume of bogus email and compromised systems makes it pretty likely you
will end up on someone's blocklist from time to time.
Some RBLs are based purely on theoretical geography, such as ones that list
all USA or APNIC registered addresses. If someone chooses to block based on
those lists, you won't be able to delist your addresses no matter what.
Commercial screening services can also compound the problem - if one of
their other customers sends problem mail to a spamtrap, you can find some of
your mail being blocked too. I deal with that problem myself, but it does
not negate the value of the screening service.
> In order for them to remove us from their black list, they want money. Is
Not really. Nearly everyone who gets listed on any RBL tries to get off it,
even if they are pure intentional spammers. So the maintainers got sick of
investigating meritless removal requests for free.
Keep in mind Sorbs does not block your mail so they can't blackmail or
extort money from you. Only people who choose to block mail based on Sorbs'
list can cause any problems for you. It may sound like a tortured beg-off
when Sorbs says they are not responsible for your blocked mail, but their
logic is perfectly compatible with the intent and history of blacklists. If
you block based on an RBL then you, not the RBL maintainers, are choosing to
deny service. If an RBL has too many false positives for their tastes,
people should choose another one.
> Is it normal custom to blacklist without warning?
Definitely normal. Some notify and most (in my experience) don't. Normally
our bounced outbound mail is the first indicator of a problem.
SORBS is way too aggressive for my business tastes so I don't use their
list, but I have no ill will toward them.
The spammers, skiddies, and criminals deserve the venom. It's their fault
everyone is challenged with finding the miniscule amount of legitimate mail
floating on the nonstop stream of SMTP sewage.
More information about the list