How to use (and not to use) SORBS…

Many times we have been accused of telling people to use the wrong SORBS zones, the most pathetic accusation when we were accused of telling everyone to use a particular zone when we showed it in the examples on how to configure SORBS or any other DNSBl.

There are currently many zones available in SORBS, some of which are single zones some of which are aggregate zones (a zone that consists of data from more than one zone.) The main two zones for using SORBS are ‘dnsbl.sorbs.net’ and ‘safe.dnsbl.sorbs.net’ the difference being that one is ‘safer’ to use than the other. ‘safer’ of course is a very objective word and is interpreted in many ways, SORBS uses ‘safer’ in the reduction of false positives (where you might block real mail that you didn’t want to block) the downside being it catches less spam. If you don’t want to evaluate the zones for your own use as we have suggested since the inception of the ‘Using SORBS‘ page and want advice from us, this is how we (the SORBS administrators) use SORBS.

For our mail servers that desire less spam where false positives are not so important, we use ‘dnsbl.sorbs.net’ for default blocking, we also use the ‘cbl.abuseat.org’ as well as ‘level1.bbfh.ext.sorbs.net’. For the mail servers we administer on a corporate level where the directors and CEO’s have specified they’d rather have more spam than the risk of loosing real email we configure ‘safe.dnsbl.sorbs.net’ and ‘cbl.abuseat.org’. In both cases we do not use any pay for services such as Trend Micro’s RBLs and the Spamhaus DNSBls. We use SpamAssassin and ClamAV to scan all the content passing through the servers and use the default DNSBl services included with SpamAssassin. In corporate environments we mark a header for the spam score and have rules on all the internal email servers to automatically put ‘spam email’ in a junk folder. In non corporate environments we configure SpamAssassin into the MTA to reject any message that causes the spam score to exceed the ‘it is spam’ threshold.

For other servers many of the other zones are used, for example a number of chat networks use the zone ‘proxies.dnsbl.sorbs.net’ to block incoming connection requests. Other financial services networks use the ‘web.dnsbl.sorbs.net’ zone to detect and reject trojaned machine connections thereby reducing online financial fraud.

So far we have described how to use SORBS, but just as important is how not to use SORBS.

• Do not use the SORBS DUHL, for blocking connections from your users to your mail servers! This might sound silly, but we have seen it, if you wish to use the SORBS DUHL either whitelist your own users or setup secure connections with SMTP AUTH to bypass the restriction.
• Do NOT use the SORBS DUHL in ‘deep header parsing’ unless it is to increase the likelihood that the message is NOT spam. Again, this might sound very basic and very simple common sense, however the current incarnation of the Barracuda Anti-Spam appliance (April 2010) has been reported as using the SORBS DUHL (amongst other non SORBS dynamic zones) for deep header parsing.
• Do not configure SORBS zones in a way the the blocked person has no idea why they are blocked. This is something that we of SORBS have constant issues with, aside from people messaging us saying they are blocked and the final analysis being that it’s another DNSBl and not SORBS, we also get a lot of people who have no idea what their IP address is. Worse the message they get back states something like, “You message was rejected, reason: blacklisted at SORBS.NET” Now imagine yourself a home user with little understanding of how email works let alone what an IP address is, how are you going to know what you are blocked for?
• Do not use SORBS from third party distribution sites. SORBS provides free access for 99.99% of the world, and as such if you get zones or queries from other systems the chances are the data is already out of date, and worse it may be as much as a few days or weeks old. There are NO Authorised third-party distributors of the SORBS zones.

As we have stated on the ‘Using SORBS’ page the most important thing to do when choosing your anti-spam resources is do your own research. Don’t take our word for it, run your server tagging things that would be blocked by SORBS (and other services) and then check out how good (or bad) we are. Choose then what is good for you, blindly accepting people’s recommendations from the Internet (even us) will result in messages you want being blocked and spam that you want to block getting through.

Sites such as ‘The DNSBl Resource‘ are run by people who work for Email Marketing companies (ESPs) and it is their job to ensure their customers messages get into your inbox. Many such companies claim to be ‘CANSPAM’ compliant, which means they are ‘Opt-Out’ emailers, this is an issue if you are not located in the USA as the law requires they be ‘Opt-In’ only in places such as Europe and Australia. Opt-Out emailing in Australia is categorised as Spam so joining the dots in this section so far we can conclude that it is the purpose of the sites’ owners to ensure the spam they are paid to deliver gets into your inbox.

So what concern is this?

SORBS blocks a lot of these “ESP” companies due to the massive amount of abuse we see (*see footnote) and consequently it is common for them to build a reputation of trying to be fair an honest in their evaluation of which DNSBl based resources to use. The following statement captured from ‘The DNSBl Resource‘ clearly sums up this position and the hidden agenda:

I’ve been working with email senders and email receivers for more than ten years. Time flies when you’re having fun, helping the good guys block unwanted mail and pressuring the bad guys to reduce false positive blocking.

Which means he (the site owner: Al Iverson) works with anyone that doesn’t block his services to try and force those who do block his services to allow his companies email through.

SORBS’ view is clear in this matter, research yourself as there are many people out there who want you to work to their agenda. SORBS’ agenda is simple, we want people to stop sending spam. We don’t care how much money Professional/Legal spammers/Email senders loose, just stop filling our mailboxes and those of others with junk. We don’t want it.

* One of the ESPs who say they are ‘anti-spam’ and ‘opt-in’ only managed 30,000 individual spams to one of our servers in a 24 hour period, this was exceptional the normal load being around 1,000 per day but clearly shows the issue.