The question of escalated listings is not a simple one to many people, but escalated listings in reality are simple and are there for a simple reason.

First as per the title of this document a little explanation is in order. Many people confuse escalated listings with single IP multi server hosts (aka Virtual server hosts). The differences between the two are very simple.

A multi server host (aka virtual server host) has one or more IP addresses and lots of virtual hosts. The virtual server hosts can be full virtual machines or can be just virtual webservers, the difference is not important here as the net effect is a single piece of hardware uses a single IP address for multiple clients (people/customers). When the IP address sends spam, it is listed at places like SORBS and mail from that host (for all the servers) is blocked or marked as spam.

An escalated listing on the other hand is where a whole network of IP addresses i listed in SORBS and all hosts and IPs (whether assigned to a single customer or multiple) are listed and therefore blocked or result in spam folder issues.

Why does SORBS create escalated listings?

The simple answer is to stop spam.

You ask, “How does listing innocent IPs help stop spam?”

Simple, some providers don’t care about spam, to them the bottom line is all that counts. Spammers pay lots of money for servers and as such the company doesn’t want to kick them off their servers. As an exmple one of the SORBS servers in the USA is a 16 core server with 3T of monthly traffic, which we pay around $1700/month for. $1700/mo is no insignificant amount and if you are a sales person with a monthly sales target of $10k per month (ie if you don’t hit that minimum every month you get fired) and you have a spammer that rents 3 of these servers, you don’t need a lot more servers to hit your monthly target. Better yet most sales people get commission for sales over their minimum, so the more of these servers you sell the more you make. Bear in mind at this point a normal web service host that you might purchase is usually around $100/mo… A significant difference!

So why list multiple hosts, well in the example above a sales person making even just $1700 per month from his spamming customer is not going to terminate (or even chastise) a customer that is causing abuse reports. He’s not going to care if the SORBS admins add the IP address the spammer is using to the SORBS lists. What he will care about is if his other customers suddenly start complaining, he’ll be even more likely to terminate the spammer if he starts losing money. So thinking about the maths, you have one spammer paying in $1700/mo and 20 customers paying in $100/mo, you’re going to ignore the issue unless 17 of your customers decide to go somewhere else…

Now does SORBS like this idea? No of course not, we’d prefer to send in the abuse report and see the spammer removed from the network post-haste. We don’t want to list innocent people, and so we use it as a last resort. Our Spam DB FAQ details about escalated listings and how we do it, we rarely follow it to the strict letter of the policy, mostly allowing a lot longer time limits and more spam before we escalate. For known spammers we follow the policy strictly being very forceful as quick as possible.

SORBS’ goal is to stop spam, not to make money, and not to help anyone else make money. The simple fact is if you are using the same server as a spammer you will be blocked, if you are in the same network as a spammer you will be blocked. If you are using the same ISP as the spammer and the ISP chooses to continue hosting the spammer and ignore SORBS you will be blocked, and in the latter case we recommend you go find another ISP.

So what’s the chances of you moving from one ISP to another ISP with spammer problems?

Well that question depends on how much you are spending. If you go looking for the cheapest servers, the chances are you’ll find the servers where spammers have already been or where they are still. The best thing you can do is talk to a sales person and ask them about SORBS listings, ask them what would happen if you get listed. If he says, “oh don’t worry about it we’ll help you sort it”, or “whilst your paying your monthly fee, we don’t care” or some other variant, find another ISP, they are the providers that will cause you trouble in the long run. If on the other hand they say, “well we’ll terminate your contract on the first sign of trouble due to our strict AUP, and we might even charge you a cleanup fee”… Choose that ISP, the chances are they’ll never experience an escalated listing issue!!!

The SORBS Spam Database is not a pleasant place to be listed, but it serves its purpose and highlights issues where a host may have a compromised web script.

The other thing the Spam Database includes is networks where spammers reside (or have servers) that the network owner or ISP allows and has refused to terminate their services… More on that issue and what you can do about it can be found later in this article.

So how does the SORBS Spam Database work… well quite simply it lists the IP addresses we have received spam from directly. This could mean a compromised host, it could mean the ISPs mail server for it’s users or it could mean a shared host where there is a script (PHP and Perl are the most common, but ASP and .NET have also been seen) that can be abused to allow mail to be sent on behalf of spammers.

The SORBS Spam database is split into 4 different datasets (Zones or Databases if you like) each described in this simple list:

      new.spam.dnsbl.sorbs.net - IPs sending spam in the last 48 hours.
   recent.spam.dnsbl.sorbs.net - IPs sending spam in the last 28 days.
      old.spam.dnsbl.sorbs.net - IPs that have sent spam within the last year (365 days.)
	  spam.dnsbl.sorbs.net - IPs that have sent spam in the past (no time limit.)
   escalations.dnsbl.sorbs.net - Networks that have sent spam or are sending spam or are
                                 where other spam services are hosted.

 
You might ask, “What does ‘where other spam services are hosted’ mean?” Well simply it means the spammer might be hosting their website(s) there, they might be hosting other things like their DNS servers there, all of which help the spammer to continue to spam. You might ask, “What’s the point if they are not sending mail from there?” Well, we (SORBS) want the ISPs and providers to get rid of the spammers from their networks and refuse to provide hosting for them, after all what’s the point of sending the spam if they can’t sell anything when the minority of people reply to it? Occasionally we will list larger chunks of a network based solely on spam, this is where we have seen a continuous stream of spam from IPs and occasionally they move to “get around” the listings. This is also an ISP either knowingly or unknowingly supporting the spammer on their network.

A spam escalation netblock is not a pleasant place to be, but we (SORBS) use it as a last resort to get the attention of the provider and try to give gentle pressure to the provider to get rid of the spammer. If you find yourself the subject of a listing what follows are are some suggestions as to what you can do:

• Demand your provider terminate the spammers or the support services. This is an easy way to find out what business your provider is in, but beware, the common responses are:
  • “SORBS will not delist, we’ve tried” – This means they talked to us and we told them they need to terminate the spammers and they refused.
  • “SORBS requires a fine and we won’t pay it” – This means they know and accept that spam was sent, but they are unwilling to take responsibility for that spam even though it was their servers that sent it.
  • “We can’t contact anyone at SORBS” – well as you already know by talking to us this is not true, anyone can log a ticket though the SORBS Support System
• Move to another provider.
• Use SMTP Services of another provider and the “smarthost” functionality of your mail server software to send email from another relay that you are authorised to use.

Of course in the first point, these are the most common responses and in each case are an excuse to continue getting money from the spammers. What most people don’t know is spammers will often provide, “Incentives” (aka bribes) to the sales man that has sold them the services to ignore the spam complaints. The net result is the ISP/provider can be getting as much as 5 times the normal rate for the hosting so they don’t want to terminate the spammer. This means the spammer’s business is more important to them than yours. They are also banking on the fact that once hosted, you might complain about blocking, but in reality you don’t want to move because you have a good deal or you perceive it’s just too expensive for you to move. SORBS accepts this as a problem, but stands firm in that we need to keep the pressure up on the providers, our customers support us in this stance and unless you’re happy to get more spam you should to.
So what happens if you have a single IP on the list, well this usually means that your server has sent spam, and getting off the list varies depending on the type and frequency of the spam, whether you are the new owner of the netblock or other circumstances. In each case we try to evaluate your situation and we will act accordingly. The Spam Database FAQ is quite firm in it’s stance and our policy but in reality this is to make our lives easier. We do evaluate listings individually, we will delist people ‘free of charge’ (once) and we will delist old entries. If however we think that the spam issue is just starting from your IP, or we believe you haven’t actually done anything to ensure it happens again, we will fall back to the policy and require a fine to be paid before we delist you. If you believe this to be extortion or blackmail you should visit the article that discusses the issue.

Something we haven’t told people, but is often asked is, “How is the data compiled?” This article will touch on the subject,and will give some detail, which if used right you can ensure you are never listed by SORBS, or the listings are very rare.

The vase majority of entries (well over 2 million as of April 2010) are listed because we received spam to one of our spamtrap servers. The host was identifying spam because it delivered spam with a known Spam URI. “What?” Well simply we receive around 10 million emails a day to disused domains, these might be recently expired, they might be domains that have been expired for years, and we decode the body of the messages, process any javascript in a sandbox, and then check any URIs we find against the SURBl and URIBl as well as our own (currently) internal list. If we find a match we wrap up the spam, checksum it, and send it to our ‘spam processing servers’. These servers check the host sending the message is authorised to send spam reporting messages, it checks the checksum of the message to ensure it has not been tampered with, and then it unwraps the message and inserts it directly into the Spam Database together with the checksum, we will (soon) write these messages directly to DVDR (write once). All of these measures ensure that the spam recorded actually came from one of our servers and its origin has been recorded securely for law enforcement research and to prevent forgeries causing listings.

Other methods of determining spam, are more simple, we use people. We have a system which interfaces to the same wrap up method we use for the spamtrap servers, however the SORBS admins from around the world and many professions have the task of sorting mail from spam. What happens is the spam we get in our Inboxes is moved (by hand) to a folder called, “Spam4SORBS” or “Spam” or even “Junk Mail” and every 5 minutes a “robot” logs into the server as the user, or the administrator checks those folders and grabs all the messages, wrapping them and sending them to the spam processing servers.

Lastly there are web forms available, such as the Spam Submission Beta test and in our admin interface where we can either cut/paste spam or we can create network listings of 1 IP through to 65536 IPs or more. All the listings that are not for a single IP are checked by the other SORBS administrators for detail and mistakes, it is also to prevent a repeat of the past where someone who was working for another anti-spam service was able to create 3 very large listings which had an immediate and detrimental effect on the SORBS service as well as upsetting millions of users of email who were blocked. Note: we also do background checks on all our new staff and have them sign contracts which should prevent a re-occurrence.

So how do you get out? Well simply, you have to follow the SORBS Spam Database FAQ or convince one of our staff that you and your IP are not going to spam again. In reality we know this you can’t guarantee, but you need to take measures to minimise the issue. It’s no go saying, “We found a virus on one of our machines an removed it” because that doesn’t help stop it re-occurring, basic network hygiene dictates that you should have a up to date anti-virus software (with current definitions) running on ALL your hosts. You should be patching your machines regularly and using tools from vendors to ensure that the patches are applied. If you are not doing this already, then that is the likely cause of the problem.

Consider the basic security implications of getting a virus that sends spam… If you are infected and the host is sending spam, it could also have key-logged everything on that server, and sent it to the virus creator, it could have sent most of your corporate secrets. It could also have sent compromising photos which could be used to blackmail you later… “That’s just scare tactics” you can shout, but every one of those scenarios have already been seen in the real world. People have had their banking details stolen and thousands of dollars sent to money laundering accounts in Russia. Business mean that are also cross-dressers, and VIPs that are cheating on their partners have been blackmailed into sending thousands of dollars to people around the world. Ideas and works that are about to be patented have been stolen and sold to the highest bidder.. Spam is only what keeps a regular income, a sideline you might say, the real money is in the scams, the emptying of bank accounts and blackmail, all of which is run by organised crime. The people behind the spam and viruses are people who have a lot of money to pay for developers to come up with new ways to get into your systems and steal from you. No longer is spam just about email, its about money, real money, and lots of it.

The SORBS database is a tool you can use to help identify where you went wrong as it will flag problems within minutes. This might be too late for your personal data, but it is better to be forewarned as you can be forearmed. The Spam database is there to stop the flow of spam (and sometimes viruses) into the networks of SORBS users giving them another line of defense. This might be an inconvenience for you in the short term, but consider the implications to them and you if they are infected by something you have sent.

I wonder how long it will be before corporate America has some big scandal where the result is some one who hasn’t taken measures to protect their network is sued for negligence when that network successfully attacks someone resulting in a lose of corporate secrets worth millions…?

This article is for all to read, but you should also consider that only a small part of what constitutes of the SORBS Database is the SORBS Spam Database. If you are not familiar with this distinction (and most people are not) please read the article on the SORBS Spam Database that defines what the SORBS Spam Database actually is.

Many people accuse SORBS of extortion or blackmail, in nearly all cases the people promoting it as such are people who are listed in the spam database for sending spam, most are the spammers themselves. Spammers go by multiple guises and will create multiple blogs, post (news group, forums and blog comments) accusing SORBS of extortion or blackmail to try and discredit SORBS so that fewer people use SORBS which means their spam can get through. There are the occasional people that do the same who are not spammer, but mis-guided by the myriad of posts by the spammers.

Here are some truths and the reality of the situation.

SORBS blocks nothing, the administrators (including those of the SORBS mail servers) use SORBS to decided whether to allow email through or reject it. This is the fundamental and legal point as to why SORBS is not blackmail or extortion. Of course there are those who disagree, but consider that SORBS has operated in multiple jurisdictions of the world, all with laws against extortion and blackmail, all where people have complained to law enforcement and consulted lawyers about private prosecutions. As of April 2010, SORBS has been operating the same policy for seven years and has never even had a court case started let alone lost for extortion or blackmail. We have never let anyone out because of pressure, indeed when we listed one of the mail servers for the Queensland (Australia) Police force I (Michelle Sullivan) received phone call threats from a senior sergeant about the listing. I explained the policy and explained why it was listed, and and what they needed to do to get the IP delisted, he argued for a few hours. A few days later the IP was delisted when they complied with the policy requirements. A similar issue happened with a number of departments of Australian Federal government (whom I later worked for) it caused a policy change for their email systems which now results in a significant reduction in spam from their hosts.

So why is it not extortion you ask? Well aside from the legal point I mentioned above, the definition of Extortion is (according to wikipedia) as follows:

Extortion, outwresting, or/and exaction is a criminal offense which occurs when a person unlawfully obtains either money, property or services from a person(s), entity, or institution, through coercion. Refraining from doing harm is sometimes euphemistically called protection. Extortion is commonly practiced by organized crime groups. The actual obtainment of money or property is not required to commit the offense. Making a threat of violence which refers to a requirement of a payment of money or property to halt future violence is sufficient to commit the offense. Exaction refers not only to extortion or the unlawful demanding and obtaining of something through force,^[1] but additionally, in its formal definition, means the infliction of something such as pain and suffering or making somebody endure something unpleasant.^[2]

In the United States, extortion may also be committed as a federal crime across a computer system, phone, by mail or in using any instrument of “interstate commerce.” Extortion requires that the individual sent the message “willingly” and “knowingly” as elements of the crime. The message only has to be sent (but does not have to reach the intended recipient) to commit the crime of extortion.

Extortion is distinguished from robbery. In “strong arm” robbery, the offender takes goods from the victim with use of immediate force. In “robbery” goods are taken or an attempt is made to take the goods against the will of another—with or without force. A bank robbery or extortion of a bank can be committed by a letter handed by the criminal to the teller. In extortion, the victim is threatened to hand over goods, or else damage to their reputation or other harm or violence against them may occur. Under federal law extortion can be committed with or without the use of force and with or without the use of a weapon. A key difference is that extortion always involves a written or verbal threat whereas robbery can occur without any verbal or written threat (refer to U.S.C. 875 and U.S.C. 876).

The term extortion is often used metaphorically to refer to usury or to price-gouging, though neither is legally considered extortion. It is also often used loosely to refer to everyday situations where one person feels indebted against their will, to another, in order to receive an essential service or avoid legal consequences. For example, certain lawsuits, fees for services such as banking, automobile insurance, gasoline prices, and even taxation, have all been labeled “legalized extortion” by people with various social or political beliefs.

Neither extortion nor blackmail require a threat of a criminal act, such as violence, merely a threat used to elicit actions, money, or property from the object of the extortion. Such threats include the filing of reports (true or not) of criminal behavior to the police, revelation of damaging facts (such as pictures of the object of the extortion in a compromising position), etc.

Now why SORBS often gets confused with extortion is because of the fourth paragraph, people feel indebted against their will, because they cannot send email to SORBS’ users without paying the ‘fine’ to get off the list. Problem is that is true (for the Spam Database), they cannot without paying the fine, and whilst that might leave a bad feeling for them, their IP address committed an act (in most case) which cost SORBS money. Their server accessed our servers either deliberately, accidentally or maliciously and used it’s bandwidth and resources against our acceptable use policy, against our wishes and without our permission. We would be well within our rights as service providers to charge someone real money for that usage (authorised or not) however we choose instead to make a requirement for the fine payers to donate to charity or a good cause. Our legal advice has told us this is fine to do, they have also indicated we could legally charge for that unauthorised access, but they added that whilst we could do it legally it would likely enable people to take us to court more easily and whilst there is legal basis for us to win every time, we would have to defend that, and defending law issues take time and cost money. We decided long ago that we should have the money donated to charity as they are plenty of worthy causes out there that are in dire need of financial aid

• Information copied from Wikipedia courtesy of the creative commons and share-alike license.

It seems this topic keeps coming up with a regularity that is surprising if annoying at times. People seem to confuse the SORBS databases and get angry about the fine applying to the DUHL and Proxy entries etc. This of course is pointless, SORBS only charges for removal from the SORBS spam database and the other databases have their own delisting policies.

Herein lies the problem, many people think the SORBS Spam DB means any listing in the SORBS database, of course it is completely wrong. For those with a technical background SORBS v1.0 has several tables in a single database, each table holds data about IP addresses and networks, these are exported to the RSYNC and DNS servers every minute into different ‘zones’.

A detailed explanation of what each zone is and what it contains can be found on the Using SORBS page, what follows is a list of the individual zones and what they are called:

http.dnsbl.sorbs.net - This is the SORBS HTTP Proxy Database
socks.dnsbl.sorbs.net - This is the SORBS SOCKS Proxy Database
misc.dnsbl.sorbs.net - This is the SORBS Miscellaneous Proxy Database
smtp.dnsbl.sorbs.net - This is the SORBS Open-Relay Database
new.spam.dnsbl.sorbs.net - This is the SORBS Spam Database
recent.spam.dnsbl.sorbs.net - This is the SORBS Spam Database
old.spam.dnsbl.sorbs.net - This is the SORBS Spam Database
escalations.dnsbl.sorbs.net - This is the SORBS Spam Database
web.dnsbl.sorbs.net - This is the SORBS Web and Vulnerability Database
block.dnsbl.sorbs.net - This is the SORBS Admin Block Database
zombie.dnsbl.sorbs.net - This is the SORBS Zombie Network Database

From this quick look you can see that the Spam Database is only a small part of what SORBS offers.

What does this mean to you? Well quite simply if you are blocked by SORBS unless your database lookup says ‘Spam Database’ then you have nothing to pay, there is no fine.

Now, what are all the databases?

The HTTP, SOCKS and MISC databases are all proxy servers of one sort or another, and getting delisted is a simple matter of obtaining a key, and sending in a specifically formatted message to our test address. This will cause servers around the world to issue random tests on the server immediately and if it appears not to have a proxy anymore, it will delist the IP address. Over the following few weeks other servers will perform the same tests at random to help ensure that the proxy server was secured and not just ‘turned off’.

The Open-Relay database is similar to the proxy database in that the delisting function works in the same way, however rather than testing for an open proxy it tests to see if the server is a mail server that will relay messages for anyone.

The Web and Vulnerability database is a little secretive about how it works, but here’s the gist… If your host sends messages into our spamtraps the connection information is checked, this is things like the TCP Flags, the Hostname, the IP address, the SMTP commands it uses and which order, and the number of times it attempts to connect in a certain period of time. If certain conditions are met, the host is listed as a ‘Possibly Trojaned Host’. Additionally if the host attempts to send viruses to the spamtrap servers it could also cause a listing, though these are more stringently checked as we do not wish to list ISPs mail servers for delivering virus payloads even though they should be virus scanning ALL mail.

The Zombie Database is not a database of hosts that are zombie machines, but are of networks that have been hijacked. Hijacking occurs when a network becomes disused or the owner fall into receivership and a spammer takes over their network by fraudulent means. A lot of research goes into entries in this database, and removal is more research which a listee can aid by proving their legal ownership of the domain concerned.

The admin block database is where the administrator of the network has requested that they never be contacted by anyone at SORBS or any of the test machines, and to prevent SORBS servers from being triggered into sending messages or contacting their networks a general block is placed on every service. Removal can happen at any time when the registered network owner requests delisting.

The Spam Database, well this one is where we put IPs sending spam, and any netblocks that are actively supporting spammers. This means that occasionally people are blocked because of other people within their network. More information on this issue can be found in our ‘Spam Database Listings‘ article.

I hope this gives a little insight into how the SORBS Databases are defined and you will now understand that a listing in SORBS doesn’t mean you’re “listed on the spam database” but can mean a variety of other things.