[Dshield] DOS by Sorbs?

jayjwa jayjwa at atr2.ath.cx
Fri Dec 23 01:43:15 GMT 2005


On Thu, 22 Dec 2005, martin forest wrote:

-> Are there many of you that have been "cornered" by Sorbs in Australia?
-> Suddenly, we started to receive complaints from users that we were on an RBL
-> list.

If you run a mailserver, sooner or later you will see the "fun" that an RBL 
can make for a postmaster. There are examples of entire companies and even 
smaller countries being ruined because of being listed on one of these things.

-> And when I looked at it, we have been listed by Sorbs as a spam site.

Supposedly, I'm running an Anal X Proxy (Windowz trojan/program, this is a 
linux machine, go figure...) so don't feel bad ;)

-> After analysing the issue, it turns out that the complaint made to Sorbs is
-> faked/false and no warning was given to us.

This is one of the biggest down falls about the concept of RBL's: they list 
tons of false positives. I've never heard of a case where someone was warned, 
or even told. Most people find out when they get complaints, as you did. 
Meanwhile, they think their mail is going thru OK. Makes one wonder what you 
think got sent, but actually didn't. Was it important? Did someone depend on 
it?

-> What is the general feeling amongst you lot?

RBL's are a classic example of the medicine being worse than the illness; 
that's my (publically printable) feeling about RBL's.

-> Is it reasonable to be listed on RBL lists for following rfc's?

It's reasonable to be listed for never spamming, ever, so I guess that you 
could be listed for just about anything.

-> Have many of you had problems with Sorbs?

69.95.5.4, Sorbs listed (at the time, don't know about now). I follow the 
little message on their bounces. It leads to website, where pressumably I'll 
be given a reason, explaination, more info- anything- why I'm being listed. 
I'm a Linux user, I'm working at the console. I start up my browser and find 
the page:

SORBS                  Not Logged in
Database Lookup        Fighting spam by
                        finding and listing
                        Exploitable Servers.

                 Please enter the address you wish to check.
                 [69.95.5.4           ]
                 [Check] [Reset]

                 As you are not logged in to proceed
                 you need to enter the code in the
                 image into the code box.

                 Please login to bypass this Captcha
                 Enter Code:   [        ]


Codes? Logins? Oh, and where's this "Captcha" I need to solve? There is no 
pictures. OK, so I need MSIE or what? Yet I'm blocked by these people. Thanks 
for the, um, help. I hope that wasn't a real issue, but then again, I have no 
way of knowing, because I'm not able to jump thru their hoops. I can only 
check, and make sure everything seems to be in order, and it is.

-> In order for them to remove us from their black list, they want money. Is
-> this blackmailing?

Sounds like it to me. Yet people support these services, even champion them. 
Until they land on the wrong side of the list, that is. I'll admit I used to 
use one. But after more than three years of running my own mailserver, I've 
found that there are much better ways of fighting spam without beating up on 
innocent people. The very basis of DNS RBL is flawed:

1) it assumes incorrectly that people have one IP address for all time, and 
that anything *appearing* to be from there (as in the case here) must in fact 
be from there, no questions asked and no apologies given.

2) it ignores the fact that, if you really want to, or know the mail system 
(like spammers do), you can easily change your IP: there are free lists on the 
'Net, updated hourly or better, that list millions of open and usable HTTP, 
SOCKS4, and SOCKS5 proxies. All you need is Google to find them.

3) it assumes incorrectly that, once listed and blocked, the spam source 
stops. It usually doesn't. It moves. Now with botnets, IP addresses are 
disposable. Spammers don't care if they land your entire subnet in blacklist 
space: they have more. The only one that really suffers is the legitimate 
owners.

4) they assume that one source is entirely all bad (spam) or all good 
(non-spam), which just isn't true. Any mid to large size ISP will have spam, 
and trouble with spammers. Hotmail/MSN have been getting swamped lately; 
however, they do send out a large amount of good email. You probably know 
of someone that has this email service. Maybe you yourself use them.

-> Is it normal custom to blacklist without warning?

Yes. Also typically without reason: many blocklists will refuse to show you 
the "proof" they have that you're a spammer. The only one that I've been 
blocked by that does, is dsbl.org. Usually it's an infected Windows PC.

I wish I had a simple solution for you, but there isn't one. I certainly 
wouldn't send them a dime though, that re-enforces what they're doing, and 
allows them to do it to the next guy. People need to realize just how evil and 
damaging these "services" are, and stop using them. If you try to talk to the 
people that are blocking you, you usually will get no where. That's everyone's 
first action. Threatening legal action doesn't help either, because then they 
say that "we only are providing a service of listing numbers, we don't block 
anyone", which is a loophole that shrugs off all responsibility. If they 
didn't exist, would there be a problem? No? So then they must have some 
bearing on the outcome.


-j


More information about the list mailing list