[Dshield] DOS by Sorbs?

Scott Melnick smelnick at water.com
Thu Dec 22 16:28:42 GMT 2005


Ooopps. Ok its morning for me. That's the IP for your personal domain.
Well, I assume that your MX records for vuw.ac.nz is your inbounds only
and it goes outbound is on another IP.

Yawn,

Scott Melnick
Tired Guy

-----Original Message-----
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org] On Behalf Of Scott Melnick
Sent: Thursday, December 22, 2005 11:02 AM
To: General DShield Discussion List
Subject: Re: [Dshield] DOS by Sorbs?

Martin,

Here is what I found. I used Solar Winds Blacklist utility. I show 2
black list sites Black listing you for Dynamic IP addresses. This is
assuming I got your outbound mail IP correct.

You can also have trouble with email servers that do reverse DNS
lookups. If the reverse doesn't match the email domain, they will reject
your email.


Target	"Reason(s) for being Blacklisted"	URL
202.0.38.185	"Blacklisted by 2 servers"	
"Sorbs"	"   Received 1 reason"	dnsbl.sorbs.net
"   127.0.0.10"	"      Dial-up/Dynamic network"	"      Dynamic IP
Addresses See: http://www.sorbs.net/lookup.shtml?202.0.38.185 "

"Not Just Another Bogus List - Secondary list"	"   Received 1 reason"
dnsbl.njabl.org
"   127.0.0.3"	"      Dial-up/dynamic IP address"	"
Dynamic/Residential IP range listed by NJABL dynablock -
http://njabl.org/dynablock.html "


Scott Melnick
Security Guy

>Greetings all

>Are there many of you that have been "cornered" by Sorbs in Australia?
>Suddenly, we started to receive complaints from users that we were on
an  
>RBL list. And when I looked at it, we have been listed by Sorbs as a
spam  
>site. After analysing the issue, it turns out that the complaint made
to  
>Sorbs is faked/false and no warning was given to us. Basically, I  
>contacted the remote user (in Finland) that the complaint was referring
to  
>and he have never heard of it. I also contacted our user, who the email

>"was sent from". As most of you probably is guessing by now, a
classical  
>spoofed email.

>If we don't do "non delivery notifications", we will break rfc's.
>If we deliver non delivery notifications, we will most likely send crap
to  
>innocent users.
>Our mail servers do strict mail filtering and do not relay. We have a  
>commercial anti spam system for incoming email. Outgoing, incoming and

>internal email systems are separated with a lot of security checks.
>What is the general feeling amongst you lot?

>Is it reasonable to be listed on RBL lists for following rfc's?
>Have many of you had problems with Sorbs?
>In order for them to remove us from their black list, they want money.
Is  
>this blackmailing?
>Is it normal custom to blacklist without warning?

>Cheers
>Martin Forest
>Security Manager
>Victoria University of Wellington
_________________________________________

_________________________________________
Learn about Intrusion Detection in Depth from the comfort of your own
couch:
https://www.sans.org/athome/details.php?id=1341&d=1

_______________________________________________
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list



More information about the list mailing list