Archive for June, 2010

Escalated listings, and listing multi server hosts… why do you do it…?

Jun 21 2010 Published by Michelle Sullivan under Spam Database

The question of escalated listings is not a simple one to many people, but escalated listings in reality are simple and are there for a simple reason.

First as per the title of this document a little explanation is in order. Many people confuse escalated listings with single IP multi server hosts (aka Virtual server hosts). The differences between the two are very simple.

A multi server host (aka virtual server host) has one or more IP addresses and lots of virtual hosts. The virtual server hosts can be full virtual machines or can be just virtual webservers, the difference is not important here as the net effect is a single piece of hardware uses a single IP address for multiple clients (people/customers). When the IP address sends spam, it is listed at places like SORBS and mail from that host (for all the servers) is blocked or marked as spam.

An escalated listing on the other hand is where a whole network of IP addresses i listed in SORBS and all hosts and IPs (whether assigned to a single customer or multiple) are listed and therefore blocked or result in spam folder issues.

Why does SORBS create escalated listings?

The simple answer is to stop spam.

You ask, “How does listing innocent IPs help stop spam?”

Simple, some providers don’t care about spam, to them the bottom line is all that counts. Spammers pay lots of money for servers and as such the company doesn’t want to kick them off their servers. As an exmple one of the SORBS servers in the USA is a 16 core server with 3T of monthly traffic, which we pay around $1700/month for. $1700/mo is no insignificant amount and if you are a sales person with a monthly sales target of $10k per month (ie if you don’t hit that minimum every month you get fired) and you have a spammer that rents 3 of these servers, you don’t need a lot more servers to hit your monthly target. Better yet most sales people get commission for sales over their minimum, so the more of these servers you sell the more you make. Bear in mind at this point a normal web service host that you might purchase is usually around $100/mo… A significant difference!

So why list multiple hosts, well in the example above a sales person making even just $1700 per month from his spamming customer is not going to terminate (or even chastise) a customer that is causing abuse reports. He’s not going to care if the SORBS admins add the IP address the spammer is using to the SORBS lists. What he will care about is if his other customers suddenly start complaining, he’ll be even more likely to terminate the spammer if he starts losing money. So thinking about the maths, you have one spammer paying in $1700/mo and 20 customers paying in $100/mo, you’re going to ignore the issue unless 17 of your customers decide to go somewhere else…

Now does SORBS like this idea? No of course not, we’d prefer to send in the abuse report and see the spammer removed from the network post-haste. We don’t want to list innocent people, and so we use it as a last resort. Our Spam DB FAQ details about escalated listings and how we do it, we rarely follow it to the strict letter of the policy, mostly allowing a lot longer time limits and more spam before we escalate. For known spammers we follow the policy strictly being very forceful as quick as possible.

SORBS’ goal is to stop spam, not to make money, and not to help anyone else make money. The simple fact is if you are using the same server as a spammer you will be blocked, if you are in the same network as a spammer you will be blocked. If you are using the same ISP as the spammer and the ISP chooses to continue hosting the spammer and ignore SORBS you will be blocked, and in the latter case we recommend you go find another ISP.

So what’s the chances of you moving from one ISP to another ISP with spammer problems?

Well that question depends on how much you are spending. If you go looking for the cheapest servers, the chances are you’ll find the servers where spammers have already been or where they are still. The best thing you can do is talk to a sales person and ask them about SORBS listings, ask them what would happen if you get listed. If he says, “oh don’t worry about it we’ll help you sort it”, or “whilst your paying your monthly fee, we don’t care” or some other variant, find another ISP, they are the providers that will cause you trouble in the long run. If on the other hand they say, “well we’ll terminate your contract on the first sign of trouble due to our strict AUP, and we might even charge you a cleanup fee”… Choose that ISP, the chances are they’ll never experience an escalated listing issue!!!

Comments Off

We want to talk to SORBS about listings, why do you not answer our questions on mailing lists?

Jun 17 2010 Published by Michelle Sullivan under Uncategorized

This is often a point of contention with people attempting (and especially after being refused or restricted on) delisting.

The SORBS staff do not participate in many email lists, some we are there to monitor, some we will talk about general issues, others we do not participate in.

The lists we participate in are:

  • Zorch – a private and restricted membership list that participants have to be nominated then invited to. Spam and Email deliverability is discussed.
  • NANOG – an open list where network issues are discussed.
  • NZNOG – an open list where network issue are discussed.
  • UKNOF – an open list where network issues are discussed.
  • ASRG – an open list where spam blocklists are discussed.
  • Postfix-Users: an open list where the postfix mail server is discussed.
  • Patternity – where spam netblocks are reported.
  • dnsbl-users – an open list where the usage of SORBS can be discussed.

Lists which SORBS admins may or may not be monitoring but will never reply to a message:

  • Spam-L – an open list created to replace the original Spam-L that is to discuss spam.

There are also various forums and news groups (eg: – NANAE) where SORBS staff sometimes post.

SORBS Support issues are discussed in some of the forums, mailing lists, and news groups, but regardless of SORBS membership will never be resolved by discussion on such a group. A good example of this is the Spam-L list where the main SORBS admin does not participate or subscribe following a decision of the moderation team to get involved in an argument about the merits or problems of SORBS then disable the ability of SORBS staff to reply. Another example is Zorch where SORBS staff removed themselves from the list when it was found that private information discussed was repeated by some members in public forums such as Spam-L. The policy of Zorch has been and should always be that discussions on the list are not to be repeated off the list except where express (written) permission was given, the vetting of members is designed to aid in that policy, but fails from time to time due to accidental (sometimes deliberate) disclosure.

In all cases listing and delisting of IPs or networks must be discussed and approved in the SORBS Support system ( ) anyone offering advice to the contrary is not a SORBS staff member or will be removed from the staff very shortly there after.

For this reason it is a pointless exercise and waste of time to discuss these issues there.

Comments Off

I’ve been told not to use SORBS as it is not a legitimate list.

Jun 17 2010 Published by Michelle Sullivan under Uncategorized

It has come to SORBS’ attention that some providers of mail services are sending out messages similar to MessageLab’s message:

Thank you for contacting SHS Global Client Support regarding blocks
   on our email infrastructure.
There are many organisations/authorities around the world that offer
    a means of blocking email based on list entries that their users
    can subscribe to.  Whilst many are entirely legitimate and
    beneficial, some authorities have aggressive listing policies or
    lists that are almost impossible to be removed from.  As a result,
    SHS do not recognise these authorities as legitimate.
Some of the block list providers will charge listed parties to
    become removed from the list.  Once the fee has been paid and the
    IP delisted, the owner of the IP may find that they have become
    listed again a very short time later.  Lists like this aren’t
    providing a beneficial service and their use can cause mails not to
    be delivered even if the mails/sender are legitimate.
Other block list providers that we do not recognise as legitimate
    may look at the way email is handled.  Some block lists will spot
    the way our service relays mail from client to recipient and from
    sender to client.  Our relay-based service means that our
    infrastructure can become blocked causing unnecessary mail
In instances where SHS have become blocked by what we consider to be
    “unhelpful” block list providers, we are unable to request de-
    listing of our IP addresses.  In these instances, we ask the client
    in question if they would kindly notify the intended recipient that
    they are using a block list that causes large amounts of false
    positives and that email from yourselves has been stopped.  The
    intended recipient should be discouraged from using such lists in
    favour of more legitimate lists available on the internet.
We are currently aware of some block list providers that can cause
    problems with SHS email routing and that we are unable to resolve
    by becoming de-listed.  These lists are known as:
 -          SORBS (
 -          BACKSCATTERER (
 -          SPEWS (APEWS)
 SORBS will list very aggressively and often without consideration to
    the services we are offering our clients.  To become removed from
    the SORBS list, they charge a fee which will often be only a
    temporary de-listing before we get placed back on the list.  We
    have tried to work with SORBS but they are less than happy to co-
    operate with us despite our efforts against the constant threat of
    email borne malware and spam.  As a result we do not recognise them
    as a legitimate list provider and request any clients experiencing
    issues contact their intended recipients to advise of the problems
    caused by using the list.
BACKSCATTERER is a list that almost always contains SHS IP
    addresses.  As stated on the website, their list
    is not one that contains spam preventing listings but instead
    sender callout abusers or users that send backscatter.  They advise
    on the site that many big email providers/ISP’s will send NDR
    (bounce messages) because the systems they use incorporate
    relaying.  Backscatter, is the process of sending NDRs to non-local
    users. Because of the way the SHS system operates, we have the need
    to deliver NDRs outside of our own network, or our clients would
    never be aware of messages that we were unable to deliver.  This
    puts us at odds with  If you are having an issue
    delivering to a third party who is using backscatterer as a spam
    list, the third party should be educated and instructed to further
    investigate the
    website to familiarize themselve
    s with the concept of the list. Backscatter's policy is that they
    maintain their own list for specific purposes and as such will not
    delist anyone, unless a fee is paid. Notably, they also recommend
    that their list is not used as a basis for rejecting mail.
SPEWS (APEWS) is a list that is no longer maintained.  It was once
    responsible for blocking large areas of “netspace” and only dealing
    with ISP’s.  Because the list is no longer in service, there may be
    DNS records that refer to an old database.  For this reason this
    list should not be used and de-listing is not a possibility.
There are also likely to be other organisations that operate in
    similar ways.  At present we have not discovered these lists but
    this response could stand for lists not named above.
Due to the reasons above, we are unable to become de-listed and as
    such unable to affect the course of any email destined to
    recipients using these lists.  Whilst we applaud third parties
    willingness to prevent spam and utilise such lists, there are many
    other more legitimate lists that can be utilised.  SHS work closely
    with those offering legitimate lists to ensure our infrastructure
    isn’t impacted should somebody abuse/compromise our system or one
    of our clients systems.
Please feel free to respond with any questions or comments regarding
    the above.  Alternatively if you wish to check the status of an
    IP/block list, please do not hesitate to contact us.
Once again, please accept our sincerest apologies for not being able
    to offer more assistance on this matter.
Kind Regards
*** *******
Support Centre Analyst
Symantec Hosted Services
   24x7 Global Client Support Centre:
US/Canada: +1 (866) 807 ****
EMEA: +44 (0) 870 850 ****
Australia: 1 (800) ******
Hong Kong: 1 (800) ******
Asia Pacific: +852 6902 ****

One should note the immediate and glaring accuracy issue SPEWS isn’t, never was and never will be associated with APEWS (or ASPEWS – another replacement for SPEWS).

Now on to the message, the email is quite patently designed to mis-lead users of SORBS into believing that MessageLabs are the good guys and SORBS are the scum of the earth. The reality of the fact is that MessageLabs have refused to officially enter into negotiations with SORBS on any level on multiple occasions. They log support requests to ‘get delisted’ and sometimes are refused based on recent examples of spam or the sheer volume requiring a donation to a charity because of the spam volume, MessageLabs rarely (if ever) reply to our messages to continue negotiation. The SORBS support system is there to provide a recorded two way communication path, some, such as MessageLabs use it as a write only path. They write their messages and ignore any replies.

SORBS lists spamming IP addresses (sources of spam) that may be used for blocking of spam into the mail system that is utilising SORBS as a blocklist. MessageLabs have never paid for delisting from SORBS despite multiple removals from the SORBS spam database (please do read the article about the fine, SORBS only places the fine on sources of spam that keep spamming, and only for those sources that spam SORBS directly.) SORBS consists of multiple databases and does not charge for delisting from majority of the databases.

MessageLabs keep getting relisted in the SORBS database because they are contracted by their customers to deliver all messages they send. This appears to be the basis of their ‘right’ to send spam. SORBS disagrees, spam is spam, and if you as a provider do not implement effective outgoing spam filtering, you will be restricted on delivery options at some time.

SORBS is considered to be an aggressive blocklist but considering that SORBS receives more than 30 billion lookups per day by tens of thousands of users it is patently obvious that SORBS is a legitimate list regardless of MessageLabs (or any other company’s) claims.

The facts are simple, if you deliver spam to our servers you will be listed sooner or later. If you do not deliver spam to our servers you should never be listed. MessageLabs despite their claims to the contrary deliver spams to our servers on a regular and ongoing basis, and as such they are listed in our database of deliverers of spam (the SORBS Spam DB.)

UPDATE [24/Aug/2010]: SORBS has spoken to MessageLabs and the message being sent is now being changed, and we are discussing issues.  This page is being left as an example only as we see other messages similar to this from time to time from other providers.  Kudos to the admin @ MessageLabs that enacted the change and a discussion.

Comments Off