The various databases…

Apr 02 2010

It seems this topic keeps coming up with a regularity that is surprising if annoying at times. People seem to confuse the SORBS databases and get angry about the fine applying to the DUHL and Proxy entries etc. This of course is pointless, SORBS only charges for removal from the SORBS spam database and the other databases have their own delisting policies.

Herein lies the problem, many people think the SORBS Spam DB means any listing in the SORBS database, of course it is completely wrong. For those with a technical background SORBS v1.0 has several tables in a single database, each table holds data about IP addresses and networks, these are exported to the RSYNC and DNS servers every minute into different ‘zones’.

A detailed explanation of what each zone is and what it contains can be found on the Using SORBS page, what follows is a list of the individual zones and what they are called:

http.dnsbl.sorbs.net - This is the SORBS HTTP Proxy Database
socks.dnsbl.sorbs.net - This is the SORBS SOCKS Proxy Database
misc.dnsbl.sorbs.net - This is the SORBS Miscellaneous Proxy Database
smtp.dnsbl.sorbs.net - This is the SORBS Open-Relay Database
new.spam.dnsbl.sorbs.net - This is the SORBS Spam Database
recent.spam.dnsbl.sorbs.net - This is the SORBS Spam Database
old.spam.dnsbl.sorbs.net - This is the SORBS Spam Database
escalations.dnsbl.sorbs.net - This is the SORBS Spam Database
web.dnsbl.sorbs.net - This is the SORBS Web and Vulnerability Database
block.dnsbl.sorbs.net - This is the SORBS Admin Block Database
zombie.dnsbl.sorbs.net - This is the SORBS Zombie Network Database

From this quick look you can see that the Spam Database is only a small part of what SORBS offers.

What does this mean to you? Well quite simply if you are blocked by SORBS unless your database lookup says ‘Spam Database’ then you have nothing to pay, there is no fine.

Now, what are all the databases?

The HTTP, SOCKS and MISC databases are all proxy servers of one sort or another, and getting delisted is a simple matter of obtaining a key, and sending in a specifically formatted message to our test address. This will cause servers around the world to issue random tests on the server immediately and if it appears not to have a proxy anymore, it will delist the IP address. Over the following few weeks other servers will perform the same tests at random to help ensure that the proxy server was secured and not just ‘turned off’.

The Open-Relay database is similar to the proxy database in that the delisting function works in the same way, however rather than testing for an open proxy it tests to see if the server is a mail server that will relay messages for anyone.

The Web and Vulnerability database is a little secretive about how it works, but here’s the gist… If your host sends messages into our spamtraps the connection information is checked, this is things like the TCP Flags, the Hostname, the IP address, the SMTP commands it uses and which order, and the number of times it attempts to connect in a certain period of time. If certain conditions are met, the host is listed as a ‘Possibly Trojaned Host’. Additionally if the host attempts to send viruses to the spamtrap servers it could also cause a listing, though these are more stringently checked as we do not wish to list ISPs mail servers for delivering virus payloads even though they should be virus scanning ALL mail.

The Zombie Database is not a database of hosts that are zombie machines, but are of networks that have been hijacked. Hijacking occurs when a network becomes disused or the owner fall into receivership and a spammer takes over their network by fraudulent means. A lot of research goes into entries in this database, and removal is more research which a listee can aid by proving their legal ownership of the domain concerned.

The admin block database is where the administrator of the network has requested that they never be contacted by anyone at SORBS or any of the test machines, and to prevent SORBS servers from being triggered into sending messages or contacting their networks a general block is placed on every service. Removal can happen at any time when the registered network owner requests delisting.

The Spam Database, well this one is where we put IPs sending spam, and any netblocks that are actively supporting spammers. This means that occasionally people are blocked because of other people within their network. More information on this issue can be found in our ‘Spam Database Listings‘ article.

I hope this gives a little insight into how the SORBS Databases are defined and you will now understand that a listing in SORBS doesn’t mean you’re “listed on the spam database” but can mean a variety of other things.

Comments Off

Comments are closed at this time.