[Dshield] DOS by Sorbs?

Scott Melnick smelnick at water.com
Thu Dec 22 16:01:32 GMT 2005


Here is what I found. I used Solar Winds Blacklist utility. I show 2
black list sites Black listing you for Dynamic IP addresses. This is
assuming I got your outbound mail IP correct.

You can also have trouble with email servers that do reverse DNS
lookups. If the reverse doesn't match the email domain, they will reject
your email.

Target	"Reason(s) for being Blacklisted"	URL	"Blacklisted by 2 servers"	
"Sorbs"	"   Received 1 reason"	dnsbl.sorbs.net
""	"      Dial-up/Dynamic network"	"      Dynamic IP
Addresses See: http://www.sorbs.net/lookup.shtml? "

"Not Just Another Bogus List - Secondary list"	"   Received 1 reason"
""	"      Dial-up/dynamic IP address"	"
Dynamic/Residential IP range listed by NJABL dynablock -
http://njabl.org/dynablock.html "

Scott Melnick
Security Guy

>Greetings all

>Are there many of you that have been "cornered" by Sorbs in Australia?
>Suddenly, we started to receive complaints from users that we were on
>RBL list. And when I looked at it, we have been listed by Sorbs as a
>site. After analysing the issue, it turns out that the complaint made
>Sorbs is faked/false and no warning was given to us. Basically, I  
>contacted the remote user (in Finland) that the complaint was referring
>and he have never heard of it. I also contacted our user, who the email

>"was sent from". As most of you probably is guessing by now, a
>spoofed email.

>If we don't do "non delivery notifications", we will break rfc's.
>If we deliver non delivery notifications, we will most likely send crap
>innocent users.
>Our mail servers do strict mail filtering and do not relay. We have a  
>commercial anti spam system for incoming email. Outgoing, incoming and

>internal email systems are separated with a lot of security checks.
>What is the general feeling amongst you lot?

>Is it reasonable to be listed on RBL lists for following rfc's?
>Have many of you had problems with Sorbs?
>In order for them to remove us from their black list, they want money.
>this blackmailing?
>Is it normal custom to blacklist without warning?

>Martin Forest
>Security Manager
>Victoria University of Wellington

More information about the list mailing list