Spam Database Listings

The SORBS Spam Database is not a pleasant place to be listed, but it serves its purpose and highlights issues where a host may have a compromised web script.

The other thing the Spam Database includes is networks where spammers reside (or have servers) that the network owner or ISP allows and has refused to terminate their services… More on that issue and what you can do about it can be found later in this article.

So how does the SORBS Spam Database work… well quite simply it lists the IP addresses we have received spam from directly. This could mean a compromised host, it could mean the ISPs mail server for it’s users or it could mean a shared host where there is a script (PHP and Perl are the most common, but ASP and .NET have also been seen) that can be abused to allow mail to be sent on behalf of spammers.

The SORBS Spam database is split into 4 different datasets (Zones or Databases if you like) each described in this simple list:

      new.spam.dnsbl.sorbs.net - IPs sending spam in the last 48 hours.
   recent.spam.dnsbl.sorbs.net - IPs sending spam in the last 28 days.
      old.spam.dnsbl.sorbs.net - IPs that have sent spam within the last year (365 days.)
	  spam.dnsbl.sorbs.net - IPs that have sent spam in the past (no time limit.)
   escalations.dnsbl.sorbs.net - Networks that have sent spam or are sending spam or are
                                 where other spam services are hosted.

 
You might ask, “What does ‘where other spam services are hosted’ mean?” Well simply it means the spammer might be hosting their website(s) there, they might be hosting other things like their DNS servers there, all of which help the spammer to continue to spam. You might ask, “What’s the point if they are not sending mail from there?” Well, we (SORBS) want the ISPs and providers to get rid of the spammers from their networks and refuse to provide hosting for them, after all what’s the point of sending the spam if they can’t sell anything when the minority of people reply to it? Occasionally we will list larger chunks of a network based solely on spam, this is where we have seen a continuous stream of spam from IPs and occasionally they move to “get around” the listings. This is also an ISP either knowingly or unknowingly supporting the spammer on their network.

A spam escalation netblock is not a pleasant place to be, but we (SORBS) use it as a last resort to get the attention of the provider and try to give gentle pressure to the provider to get rid of the spammer. If you find yourself the subject of a listing what follows are are some suggestions as to what you can do:

• Demand your provider terminate the spammers or the support services. This is an easy way to find out what business your provider is in, but beware, the common responses are:
  • “SORBS will not delist, we’ve tried” – This means they talked to us and we told them they need to terminate the spammers and they refused.
  • “SORBS requires a fine and we won’t pay it” – This means they know and accept that spam was sent, but they are unwilling to take responsibility for that spam even though it was their servers that sent it.
  • “We can’t contact anyone at SORBS” – well as you already know by talking to us this is not true, anyone can log a ticket though the SORBS Support System
• Move to another provider.
• Use SMTP Services of another provider and the “smarthost” functionality of your mail server software to send email from another relay that you are authorised to use.

Of course in the first point, these are the most common responses and in each case are an excuse to continue getting money from the spammers. What most people don’t know is spammers will often provide, “Incentives” (aka bribes) to the sales man that has sold them the services to ignore the spam complaints. The net result is the ISP/provider can be getting as much as 5 times the normal rate for the hosting so they don’t want to terminate the spammer. This means the spammer’s business is more important to them than yours. They are also banking on the fact that once hosted, you might complain about blocking, but in reality you don’t want to move because you have a good deal or you perceive it’s just too expensive for you to move. SORBS accepts this as a problem, but stands firm in that we need to keep the pressure up on the providers, our customers support us in this stance and unless you’re happy to get more spam you should to.
So what happens if you have a single IP on the list, well this usually means that your server has sent spam, and getting off the list varies depending on the type and frequency of the spam, whether you are the new owner of the netblock or other circumstances. In each case we try to evaluate your situation and we will act accordingly. The Spam Database FAQ is quite firm in it’s stance and our policy but in reality this is to make our lives easier. We do evaluate listings individually, we will delist people ‘free of charge’ (once) and we will delist old entries. If however we think that the spam issue is just starting from your IP, or we believe you haven’t actually done anything to ensure it happens again, we will fall back to the policy and require a fine to be paid before we delist you. If you believe this to be extortion or blackmail you should visit the article that discusses the issue.

Something we haven’t told people, but is often asked is, “How is the data compiled?” This article will touch on the subject,and will give some detail, which if used right you can ensure you are never listed by SORBS, or the listings are very rare.

The vase majority of entries (well over 2 million as of April 2010) are listed because we received spam to one of our spamtrap servers. The host was identifying spam because it delivered spam with a known Spam URI. “What?” Well simply we receive around 10 million emails a day to disused domains, these might be recently expired, they might be domains that have been expired for years, and we decode the body of the messages, process any javascript in a sandbox, and then check any URIs we find against the SURBl and URIBl as well as our own (currently) internal list. If we find a match we wrap up the spam, checksum it, and send it to our ‘spam processing servers’. These servers check the host sending the message is authorised to send spam reporting messages, it checks the checksum of the message to ensure it has not been tampered with, and then it unwraps the message and inserts it directly into the Spam Database together with the checksum, we will (soon) write these messages directly to DVDR (write once). All of these measures ensure that the spam recorded actually came from one of our servers and its origin has been recorded securely for law enforcement research and to prevent forgeries causing listings.

Other methods of determining spam, are more simple, we use people. We have a system which interfaces to the same wrap up method we use for the spamtrap servers, however the SORBS admins from around the world and many professions have the task of sorting mail from spam. What happens is the spam we get in our Inboxes is moved (by hand) to a folder called, “Spam4SORBS” or “Spam” or even “Junk Mail” and every 5 minutes a “robot” logs into the server as the user, or the administrator checks those folders and grabs all the messages, wrapping them and sending them to the spam processing servers.

Lastly there are web forms available, such as the Spam Submission Beta test and in our admin interface where we can either cut/paste spam or we can create network listings of 1 IP through to 65536 IPs or more. All the listings that are not for a single IP are checked by the other SORBS administrators for detail and mistakes, it is also to prevent a repeat of the past where someone who was working for another anti-spam service was able to create 3 very large listings which had an immediate and detrimental effect on the SORBS service as well as upsetting millions of users of email who were blocked. Note: we also do background checks on all our new staff and have them sign contracts which should prevent a re-occurrence.

So how do you get out? Well simply, you have to follow the SORBS Spam Database FAQ or convince one of our staff that you and your IP are not going to spam again. In reality we know this you can’t guarantee, but you need to take measures to minimise the issue. It’s no go saying, “We found a virus on one of our machines an removed it” because that doesn’t help stop it re-occurring, basic network hygiene dictates that you should have a up to date anti-virus software (with current definitions) running on ALL your hosts. You should be patching your machines regularly and using tools from vendors to ensure that the patches are applied. If you are not doing this already, then that is the likely cause of the problem.

Consider the basic security implications of getting a virus that sends spam… If you are infected and the host is sending spam, it could also have key-logged everything on that server, and sent it to the virus creator, it could have sent most of your corporate secrets. It could also have sent compromising photos which could be used to blackmail you later… “That’s just scare tactics” you can shout, but every one of those scenarios have already been seen in the real world. People have had their banking details stolen and thousands of dollars sent to money laundering accounts in Russia. Business mean that are also cross-dressers, and VIPs that are cheating on their partners have been blackmailed into sending thousands of dollars to people around the world. Ideas and works that are about to be patented have been stolen and sold to the highest bidder.. Spam is only what keeps a regular income, a sideline you might say, the real money is in the scams, the emptying of bank accounts and blackmail, all of which is run by organised crime. The people behind the spam and viruses are people who have a lot of money to pay for developers to come up with new ways to get into your systems and steal from you. No longer is spam just about email, its about money, real money, and lots of it.

The SORBS database is a tool you can use to help identify where you went wrong as it will flag problems within minutes. This might be too late for your personal data, but it is better to be forewarned as you can be forearmed. The Spam database is there to stop the flow of spam (and sometimes viruses) into the networks of SORBS users giving them another line of defense. This might be an inconvenience for you in the short term, but consider the implications to them and you if they are infected by something you have sent.

I wonder how long it will be before corporate America has some big scandal where the result is some one who hasn’t taken measures to protect their network is sued for negligence when that network successfully attacks someone resulting in a lose of corporate secrets worth millions…?