[Dshield] DOS by Sorbs?
jayjwa at atr2.ath.cx
Fri Dec 23 01:43:15 GMT 2005
On Thu, 22 Dec 2005, martin forest wrote:
-> Are there many of you that have been "cornered" by Sorbs in Australia?
-> Suddenly, we started to receive complaints from users that we were on an RBL
If you run a mailserver, sooner or later you will see the "fun" that an RBL
can make for a postmaster. There are examples of entire companies and even
smaller countries being ruined because of being listed on one of these things.
-> And when I looked at it, we have been listed by Sorbs as a spam site.
Supposedly, I'm running an Anal X Proxy (Windowz trojan/program, this is a
linux machine, go figure...) so don't feel bad ;)
-> After analysing the issue, it turns out that the complaint made to Sorbs is
-> faked/false and no warning was given to us.
This is one of the biggest down falls about the concept of RBL's: they list
tons of false positives. I've never heard of a case where someone was warned,
or even told. Most people find out when they get complaints, as you did.
Meanwhile, they think their mail is going thru OK. Makes one wonder what you
think got sent, but actually didn't. Was it important? Did someone depend on
-> What is the general feeling amongst you lot?
RBL's are a classic example of the medicine being worse than the illness;
that's my (publically printable) feeling about RBL's.
-> Is it reasonable to be listed on RBL lists for following rfc's?
It's reasonable to be listed for never spamming, ever, so I guess that you
could be listed for just about anything.
-> Have many of you had problems with Sorbs?
126.96.36.199, Sorbs listed (at the time, don't know about now). I follow the
little message on their bounces. It leads to website, where pressumably I'll
be given a reason, explaination, more info- anything- why I'm being listed.
I'm a Linux user, I'm working at the console. I start up my browser and find
SORBS Not Logged in
Database Lookup Fighting spam by
finding and listing
Please enter the address you wish to check.
As you are not logged in to proceed
you need to enter the code in the
image into the code box.
Please login to bypass this Captcha
Enter Code: [ ]
Codes? Logins? Oh, and where's this "Captcha" I need to solve? There is no
pictures. OK, so I need MSIE or what? Yet I'm blocked by these people. Thanks
for the, um, help. I hope that wasn't a real issue, but then again, I have no
way of knowing, because I'm not able to jump thru their hoops. I can only
check, and make sure everything seems to be in order, and it is.
-> In order for them to remove us from their black list, they want money. Is
-> this blackmailing?
Sounds like it to me. Yet people support these services, even champion them.
Until they land on the wrong side of the list, that is. I'll admit I used to
use one. But after more than three years of running my own mailserver, I've
found that there are much better ways of fighting spam without beating up on
innocent people. The very basis of DNS RBL is flawed:
1) it assumes incorrectly that people have one IP address for all time, and
that anything *appearing* to be from there (as in the case here) must in fact
be from there, no questions asked and no apologies given.
2) it ignores the fact that, if you really want to, or know the mail system
(like spammers do), you can easily change your IP: there are free lists on the
'Net, updated hourly or better, that list millions of open and usable HTTP,
SOCKS4, and SOCKS5 proxies. All you need is Google to find them.
3) it assumes incorrectly that, once listed and blocked, the spam source
stops. It usually doesn't. It moves. Now with botnets, IP addresses are
disposable. Spammers don't care if they land your entire subnet in blacklist
space: they have more. The only one that really suffers is the legitimate
4) they assume that one source is entirely all bad (spam) or all good
(non-spam), which just isn't true. Any mid to large size ISP will have spam,
and trouble with spammers. Hotmail/MSN have been getting swamped lately;
however, they do send out a large amount of good email. You probably know
of someone that has this email service. Maybe you yourself use them.
-> Is it normal custom to blacklist without warning?
Yes. Also typically without reason: many blocklists will refuse to show you
the "proof" they have that you're a spammer. The only one that I've been
blocked by that does, is dsbl.org. Usually it's an infected Windows PC.
I wish I had a simple solution for you, but there isn't one. I certainly
wouldn't send them a dime though, that re-enforces what they're doing, and
allows them to do it to the next guy. People need to realize just how evil and
damaging these "services" are, and stop using them. If you try to talk to the
people that are blocking you, you usually will get no where. That's everyone's
first action. Threatening legal action doesn't help either, because then they
say that "we only are providing a service of listing numbers, we don't block
anyone", which is a loophole that shrugs off all responsibility. If they
didn't exist, would there be a problem? No? So then they must have some
bearing on the outcome.
More information about the list