Archive for the 'Using SORBS' Category

How to use (and not to use) SORBS…

Apr 10 2010 Published by Michelle Sullivan under Using SORBS

Many times we have been accused of telling people to use the wrong SORBS zones, the most pathetic accusation when we were accused of telling everyone to use a particular zone when we showed it in the examples on how to configure SORBS or any other DNSBl.

There are currently many zones available in SORBS, some of which are single zones some of which are aggregate zones (a zone that consists of data from more than one zone.) The main two zones for using SORBS are ‘’ and ‘’ the difference being that one is ‘safer’ to use than the other. ‘safer’ of course is a very objective word and is interpreted in many ways, SORBS uses ‘safer’ in the reduction of false positives (where you might block real mail that you didn’t want to block) the downside being it catches less spam. If you don’t want to evaluate the zones for your own use as we have suggested since the inception of the ‘Using SORBS‘ page and want advice from us, this is how we (the SORBS administrators) use SORBS.

For our mail servers that desire less spam where false positives are not so important, we use ‘’ for default blocking, we also use the ‘’ as well as ‘’. For the mail servers we administer on a corporate level where the directors and CEO’s have specified they’d rather have more spam than the risk of loosing real email we configure ‘’ and ‘’. In both cases we do not use any pay for services such as Trend Micro’s RBLs and the Spamhaus DNSBls. We use SpamAssassin and ClamAV to scan all the content passing through the servers and use the default DNSBl services included with SpamAssassin. In corporate environments we mark a header for the spam score and have rules on all the internal email servers to automatically put ‘spam email’ in a junk folder. In non corporate environments we configure SpamAssassin into the MTA to reject any message that causes the spam score to exceed the ‘it is spam’ threshold.

For other servers many of the other zones are used, for example a number of chat networks use the zone ‘’ to block incoming connection requests. Other financial services networks use the ‘’ zone to detect and reject trojaned machine connections thereby reducing online financial fraud.

So far we have described how to use SORBS, but just as important is how not to use SORBS.

  • Do not use the SORBS DUHL, for blocking connections from your users to your mail servers! This might sound silly, but we have seen it, if you wish to use the SORBS DUHL either whitelist your own users or setup secure connections with SMTP AUTH to bypass the restriction.
  • Do NOT use the SORBS DUHL in ‘deep header parsing’ unless it is to increase the likelihood that the message is NOT spam. Again, this might sound very basic and very simple common sense, however the current incarnation of the Barracuda Anti-Spam appliance (April 2010) has been reported as using the SORBS DUHL (amongst other non SORBS dynamic zones) for deep header parsing.
  • Do not configure SORBS zones in a way the the blocked person has no idea why they are blocked. This is something that we of SORBS have constant issues with, aside from people messaging us saying they are blocked and the final analysis being that it’s another DNSBl and not SORBS, we also get a lot of people who have no idea what their IP address is. Worse the message they get back states something like, “You message was rejected, reason: blacklisted at SORBS.NET” Now imagine yourself a home user with little understanding of how email works let alone what an IP address is, how are you going to know what you are blocked for?
  • Do not use SORBS from third party distribution sites. SORBS provides free access for 99.99% of the world, and as such if you get zones or queries from other systems the chances are the data is already out of date, and worse it may be as much as a few days or weeks old. There are NO Authorised third-party distributors of the SORBS zones.

As we have stated on the ‘Using SORBS’ page the most important thing to do when choosing your anti-spam resources is do your own research. Don’t take our word for it, run your server tagging things that would be blocked by SORBS (and other services) and then check out how good (or bad) we are. Choose then what is good for you, blindly accepting people’s recommendations from the Internet (even us) will result in messages you want being blocked and spam that you want to block getting through.

Sites such as ‘The DNSBl Resource‘ are run by people who work for Email Marketing companies (ESPs) and it is their job to ensure their customers messages get into your inbox. Many such companies claim to be ‘CANSPAM’ compliant, which means they are ‘Opt-Out’ emailers, this is an issue if you are not located in the USA as the law requires they be ‘Opt-In’ only in places such as Europe and Australia. Opt-Out emailing in Australia is categorised as Spam so joining the dots in this section so far we can conclude that it is the purpose of the sites’ owners to ensure the spam they are paid to deliver gets into your inbox.

So what concern is this?

SORBS blocks a lot of these “ESP” companies due to the massive amount of abuse we see (*see footnote) and consequently it is common for them to build a reputation of trying to be fair an honest in their evaluation of which DNSBl based resources to use. The following statement captured from ‘The DNSBl Resource‘ clearly sums up this position and the hidden agenda:

I’ve been working with email senders and email receivers for more than ten years. Time flies when you’re having fun, helping the good guys block unwanted mail and pressuring the bad guys to reduce false positive blocking.

Which means he (the site owner: Al Iverson) works with anyone that doesn’t block his services to try and force those who do block his services to allow his companies email through.

SORBS’ view is clear in this matter, research yourself as there are many people out there who want you to work to their agenda. SORBS’ agenda is simple, we want people to stop sending spam. We don’t care how much money Professional/Legal spammers/Email senders loose, just stop filling our mailboxes and those of others with junk. We don’t want it.

* One of the ESPs who say they are ‘anti-spam’ and ‘opt-in’ only managed 30,000 individual spams to one of our servers in a 24 hour period, this was exceptional the normal load being around 1,000 per day but clearly shows the issue.

Comments Off

Spam Database Listings

Apr 03 2010 Published by Michelle Sullivan under Spam Database,Using SORBS

The SORBS Spam Database is not a pleasant place to be listed, but it serves its purpose and highlights issues where a host may have a compromised web script.

The other thing the Spam Database includes is networks where spammers reside (or have servers) that the network owner or ISP allows and has refused to terminate their services… More on that issue and what you can do about it can be found later in this article.

So how does the SORBS Spam Database work… well quite simply it lists the IP addresses we have received spam from directly. This could mean a compromised host, it could mean the ISPs mail server for it’s users or it could mean a shared host where there is a script (PHP and Perl are the most common, but ASP and .NET have also been seen) that can be abused to allow mail to be sent on behalf of spammers.

The SORBS Spam database is split into 4 different datasets (Zones or Databases if you like) each described in this simple list: - IPs sending spam in the last 48 hours. - IPs sending spam in the last 28 days. - IPs that have sent spam within the last year (365 days.) - IPs that have sent spam in the past (no time limit.) - Networks that have sent spam or are sending spam or are
                                 where other spam services are hosted.

You might ask, “What does ‘where other spam services are hosted’ mean?” Well simply it means the spammer might be hosting their website(s) there, they might be hosting other things like their DNS servers there, all of which help the spammer to continue to spam. You might ask, “What’s the point if they are not sending mail from there?” Well, we (SORBS) want the ISPs and providers to get rid of the spammers from their networks and refuse to provide hosting for them, after all what’s the point of sending the spam if they can’t sell anything when the minority of people reply to it? Occasionally we will list larger chunks of a network based solely on spam, this is where we have seen a continuous stream of spam from IPs and occasionally they move to “get around” the listings. This is also an ISP either knowingly or unknowingly supporting the spammer on their network.

A spam escalation netblock is not a pleasant place to be, but we (SORBS) use it as a last resort to get the attention of the provider and try to give gentle pressure to the provider to get rid of the spammer. If you find yourself the subject of a listing what follows are are some suggestions as to what you can do:

  • Demand your provider terminate the spammers or the support services. This is an easy way to find out what business your provider is in, but beware, the common responses are:
    • “SORBS will not delist, we’ve tried” – This means they talked to us and we told them they need to terminate the spammers and they refused.
    • “SORBS requires a fine and we won’t pay it” – This means they know and accept that spam was sent, but they are unwilling to take responsibility for that spam even though it was their servers that sent it.
    • “We can’t contact anyone at SORBS” – well as you already know by talking to us this is not true, anyone can log a ticket though the SORBS Support System
  • Move to another provider.
  • Use SMTP Services of another provider and the “smarthost” functionality of your mail server software to send email from another relay that you are authorised to use.

Of course in the first point, these are the most common responses and in each case are an excuse to continue getting money from the spammers. What most people don’t know is spammers will often provide, “Incentives” (aka bribes) to the sales man that has sold them the services to ignore the spam complaints. The net result is the ISP/provider can be getting as much as 5 times the normal rate for the hosting so they don’t want to terminate the spammer. This means the spammer’s business is more important to them than yours. They are also banking on the fact that once hosted, you might complain about blocking, but in reality you don’t want to move because you have a good deal or you perceive it’s just too expensive for you to move. SORBS accepts this as a problem, but stands firm in that we need to keep the pressure up on the providers, our customers support us in this stance and unless you’re happy to get more spam you should to.
So what happens if you have a single IP on the list, well this usually means that your server has sent spam, and getting off the list varies depending on the type and frequency of the spam, whether you are the new owner of the netblock or other circumstances. In each case we try to evaluate your situation and we will act accordingly. The Spam Database FAQ is quite firm in it’s stance and our policy but in reality this is to make our lives easier. We do evaluate listings individually, we will delist people ‘free of charge’ (once) and we will delist old entries. If however we think that the spam issue is just starting from your IP, or we believe you haven’t actually done anything to ensure it happens again, we will fall back to the policy and require a fine to be paid before we delist you. If you believe this to be extortion or blackmail you should visit the article that discusses the issue.

Something we haven’t told people, but is often asked is, “How is the data compiled?” This article will touch on the subject,and will give some detail, which if used right you can ensure you are never listed by SORBS, or the listings are very rare.

The vase majority of entries (well over 2 million as of April 2010) are listed because we received spam to one of our spamtrap servers. The host was identifying spam because it delivered spam with a known Spam URI. “What?” Well simply we receive around 10 million emails a day to disused domains, these might be recently expired, they might be domains that have been expired for years, and we decode the body of the messages, process any javascript in a sandbox, and then check any URIs we find against the SURBl and URIBl as well as our own (currently) internal list. If we find a match we wrap up the spam, checksum it, and send it to our ‘spam processing servers’. These servers check the host sending the message is authorised to send spam reporting messages, it checks the checksum of the message to ensure it has not been tampered with, and then it unwraps the message and inserts it directly into the Spam Database together with the checksum, we will (soon) write these messages directly to DVDR (write once). All of these measures ensure that the spam recorded actually came from one of our servers and its origin has been recorded securely for law enforcement research and to prevent forgeries causing listings.

Other methods of determining spam, are more simple, we use people. We have a system which interfaces to the same wrap up method we use for the spamtrap servers, however the SORBS admins from around the world and many professions have the task of sorting mail from spam. What happens is the spam we get in our Inboxes is moved (by hand) to a folder called, “Spam4SORBS” or “Spam” or even “Junk Mail” and every 5 minutes a “robot” logs into the server as the user, or the administrator checks those folders and grabs all the messages, wrapping them and sending them to the spam processing servers.

Lastly there are web forms available, such as the Spam Submission Beta test and in our admin interface where we can either cut/paste spam or we can create network listings of 1 IP through to 65536 IPs or more. All the listings that are not for a single IP are checked by the other SORBS administrators for detail and mistakes, it is also to prevent a repeat of the past where someone who was working for another anti-spam service was able to create 3 very large listings which had an immediate and detrimental effect on the SORBS service as well as upsetting millions of users of email who were blocked. Note: we also do background checks on all our new staff and have them sign contracts which should prevent a re-occurrence.

So how do you get out? Well simply, you have to follow the SORBS Spam Database FAQ or convince one of our staff that you and your IP are not going to spam again. In reality we know this you can’t guarantee, but you need to take measures to minimise the issue. It’s no go saying, “We found a virus on one of our machines an removed it” because that doesn’t help stop it re-occurring, basic network hygiene dictates that you should have a up to date anti-virus software (with current definitions) running on ALL your hosts. You should be patching your machines regularly and using tools from vendors to ensure that the patches are applied. If you are not doing this already, then that is the likely cause of the problem.

Consider the basic security implications of getting a virus that sends spam… If you are infected and the host is sending spam, it could also have key-logged everything on that server, and sent it to the virus creator, it could have sent most of your corporate secrets. It could also have sent compromising photos which could be used to blackmail you later… “That’s just scare tactics” you can shout, but every one of those scenarios have already been seen in the real world. People have had their banking details stolen and thousands of dollars sent to money laundering accounts in Russia. Business mean that are also cross-dressers, and VIPs that are cheating on their partners have been blackmailed into sending thousands of dollars to people around the world. Ideas and works that are about to be patented have been stolen and sold to the highest bidder.. Spam is only what keeps a regular income, a sideline you might say, the real money is in the scams, the emptying of bank accounts and blackmail, all of which is run by organised crime. The people behind the spam and viruses are people who have a lot of money to pay for developers to come up with new ways to get into your systems and steal from you. No longer is spam just about email, its about money, real money, and lots of it.

The SORBS database is a tool you can use to help identify where you went wrong as it will flag problems within minutes. This might be too late for your personal data, but it is better to be forewarned as you can be forearmed. The Spam database is there to stop the flow of spam (and sometimes viruses) into the networks of SORBS users giving them another line of defense. This might be an inconvenience for you in the short term, but consider the implications to them and you if they are infected by something you have sent.

I wonder how long it will be before corporate America has some big scandal where the result is some one who hasn’t taken measures to protect their network is sued for negligence when that network successfully attacks someone resulting in a lose of corporate secrets worth millions…?

Comments Off

The various databases…

Apr 02 2010 Published by Michelle Sullivan under Spam Database,Using SORBS

It seems this topic keeps coming up with a regularity that is surprising if annoying at times. People seem to confuse the SORBS databases and get angry about the fine applying to the DUHL and Proxy entries etc. This of course is pointless, SORBS only charges for removal from the SORBS spam database and the other databases have their own delisting policies.

Herein lies the problem, many people think the SORBS Spam DB means any listing in the SORBS database, of course it is completely wrong. For those with a technical background SORBS v1.0 has several tables in a single database, each table holds data about IP addresses and networks, these are exported to the RSYNC and DNS servers every minute into different ‘zones’.

A detailed explanation of what each zone is and what it contains can be found on the Using SORBS page, what follows is a list of the individual zones and what they are called: - This is the SORBS HTTP Proxy Database - This is the SORBS SOCKS Proxy Database - This is the SORBS Miscellaneous Proxy Database - This is the SORBS Open-Relay Database - This is the SORBS Spam Database - This is the SORBS Spam Database - This is the SORBS Spam Database - This is the SORBS Spam Database - This is the SORBS Web and Vulnerability Database - This is the SORBS Admin Block Database - This is the SORBS Zombie Network Database

From this quick look you can see that the Spam Database is only a small part of what SORBS offers.

What does this mean to you? Well quite simply if you are blocked by SORBS unless your database lookup says ‘Spam Database’ then you have nothing to pay, there is no fine.

Now, what are all the databases?

The HTTP, SOCKS and MISC databases are all proxy servers of one sort or another, and getting delisted is a simple matter of obtaining a key, and sending in a specifically formatted message to our test address. This will cause servers around the world to issue random tests on the server immediately and if it appears not to have a proxy anymore, it will delist the IP address. Over the following few weeks other servers will perform the same tests at random to help ensure that the proxy server was secured and not just ‘turned off’.

The Open-Relay database is similar to the proxy database in that the delisting function works in the same way, however rather than testing for an open proxy it tests to see if the server is a mail server that will relay messages for anyone.

The Web and Vulnerability database is a little secretive about how it works, but here’s the gist… If your host sends messages into our spamtraps the connection information is checked, this is things like the TCP Flags, the Hostname, the IP address, the SMTP commands it uses and which order, and the number of times it attempts to connect in a certain period of time. If certain conditions are met, the host is listed as a ‘Possibly Trojaned Host’. Additionally if the host attempts to send viruses to the spamtrap servers it could also cause a listing, though these are more stringently checked as we do not wish to list ISPs mail servers for delivering virus payloads even though they should be virus scanning ALL mail.

The Zombie Database is not a database of hosts that are zombie machines, but are of networks that have been hijacked. Hijacking occurs when a network becomes disused or the owner fall into receivership and a spammer takes over their network by fraudulent means. A lot of research goes into entries in this database, and removal is more research which a listee can aid by proving their legal ownership of the domain concerned.

The admin block database is where the administrator of the network has requested that they never be contacted by anyone at SORBS or any of the test machines, and to prevent SORBS servers from being triggered into sending messages or contacting their networks a general block is placed on every service. Removal can happen at any time when the registered network owner requests delisting.

The Spam Database, well this one is where we put IPs sending spam, and any netblocks that are actively supporting spammers. This means that occasionally people are blocked because of other people within their network. More information on this issue can be found in our ‘Spam Database Listings‘ article.

I hope this gives a little insight into how the SORBS Databases are defined and you will now understand that a listing in SORBS doesn’t mean you’re “listed on the spam database” but can mean a variety of other things.

Comments Off