sweintz
Premium
join:2002-03-01
Hamden, CT
| reply to Suffering
Re: SORBS got my buddy
said by Suffering  :ok, maybe I worded it wrong. Your buddy should tell that to sorbs so they change their list to show it's not a spammer IP Why? Given the complaints of fake rolex spam spewing from 209.165.130.11, i'd say it's accurate to list it as a spam source.
GCI needs to fix the problem by convincing SORBS it won't happen again. (the rolex spam, that is) |
|
Suffering
Retrovertigo
Premium,VIP
join:2004-03-06
127.0.0.1
clubs:
| reply to sweintz
said by sweintz :NONONONO!!! NO! SORBS is *NOT* blocking anything. The receivers ISP *IS* blocking. THEY are choosing to block any address listed in SORBS. SORBS is only a list. It does nothing by itself. In order for blocking to occur, the receieving mail server admin (IE: the ISP the mail was sent yo) needs to specifically set up their server to look in the sobrs list and block mail from servers listed there. I know what you are saying, but it's unfair for you to say 'it's all their fault, they followed sorbs' list!' sorbs doesn't make the list to do nothing but exist, they created it in order for people to use it to block mail. Blaming it all on the mail server admin doesn't solve the bigger problem that sorbs has him on their list and will blackmail him in order to have his IP removed.
--
kicking screaming gucci little piggy |
|
Suffering
Retrovertigo
Premium,VIP
join:2004-03-06
127.0.0.1
clubs:
1 edit | reply to sweintz
said by sweintz :Why? Given the complaints of fake rolex spam spewing from 209.165.130.11, i'd say it's accurate to list it as a spam source. GCI needs to fix the problem by convincing SORBS it won't happen again. (the rolex spam, that is) So you are telling me that:
1.) you know for a fact that this IP address has always belonged to this guy.
2.) mail headers can't be forged?
GCI owes sorbs nothing. If anything sorbs needs to contact the ISP's before blacklisting them in order to verify that spam is being sent out on that IP and the ISP isn't going to do anything about it. (btw, sorbs won't take the 'we fixed it' answer... they will make you give a 'donation')
I've said it before in this thread; sorbs has absolutely no authority to try to exert this pseudo control over ISP's IP addresses. They lead people to believe that their ISP can just drop them a line and all is well in the internet world when this is far from the truth.
Of course we are operating under the assumption that this guy didn't do the spamming and someone else did, but I would hope that would go without saying.
--
kicking screaming gucci little piggy |
|
sweintz
Premium
join:2002-03-01
Hamden, CT
| said by Suffering :said by sweintz :Why? Given the complaints of fake rolex spam spewing from 209.165.130.11, i'd say it's accurate to list it as a spam source. GCI needs to fix the problem by convincing SORBS it won't happen again. (the rolex spam, that is) So you are telling me that: 1.) you know for a fact that this IP address has always belonged to this guy. irrelevant. It isn't his address now. It is GCI's mail server. The address and ISP has a documented history of abuse.
said by Suffering :2.) mail headers can't be forged? Parts of headers can be forged, but not the final (top) received header, since that is created by the receiving mail server, not the sender. Therefore we know with 100% certainty that the spam was indeed coming from the address in question. |
|
NormanS
Premium,MVM
join:2001-02-14
San Jose, CA
 ·Pacific Bell - SBC
| reply to Suffering
said by Suffering :If anything sorbs needs to contact the ISP's before blacklisting them in order to verify that spam is being sent out on that IP and the ISP isn't going to do anything about it. (btw, sorbs won't take the 'we fixed it' answer... they will make you give a 'donation') I've said it before in this thread; sorbs has absolutely no authority to try to exert this pseudo control over ISP's IP addresses. They lead people to believe that their ISP can just drop them a line and all is well in the internet world when this is far from the truth. •SORBS is under no obligation to contact an ISP before they add an IP address to their list.
•SORBS has the authority to control connections to their own MX servers.
•SORBS can say what they will about an IP address, as long as they can back up their claims.
Any email administrator who would use any DNSBL has the obligation to understand the nature of the DNSBL before they use it; and, to stop using it if enough of their customers complain about it.
SORBS is out of line to request financial consideration, even if it is only a charitable donation; but SORBS can't force anybody to use their list.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum |
|
sweintz
Premium
join:2002-03-01
Hamden, CT | well said, Norman.
Yeah, SORBS' charity donation thing is a bit much. but that's their own perogative.
Sorbs is just a list. period. they psuedocontrol nothing. |
|
Suffering
Retrovertigo
Premium,VIP
join:2004-03-06
127.0.0.1
clubs:
| reply to NormanS
NormanS I understand sorbs has no obligation to contact the ISP, but they shouldn't make it appear as though the ISP just needs to give them a jingle and the IP address will be removed.
I agree, sorbs has the authority to control their connections to their own mail servers.
I also agree, they can say whatever they want about an IP, however often their claims are unfounded (see my first post on page two).
I also agree that it's the mail server's admin that should understand and actually manage their DNSBL, however too many don't and (coming from personal experience here) will refer you to your ISP to have them contact sorbs.
my whole stance on sorbs is that they are too quick to blacklist, and greedy when it comes to taking you off the list.
--
kicking screaming gucci little piggy |
|
NormanS
Premium,MVM
join:2001-02-14
San Jose, CA
·Pacific Bell - SBC
| They are not greedy; they get nothing out of the levy they try to impose. Unless they are getting a kickback from the favorite charity of the admin paying their levy.
As for improper blocking, you have said this:
quote:
So, sorbs has blocked several completely legitimate dynamic IP addresses and then wants the ISP to contact THEM in order to verify that it's a dynamic IP address.
Sorbs has no authority to make such requests to have the ISP's contact them..
What is so inaccurate about blocking dynamic IP addresses? 95% of all spam delivery attempts to my MX server, and 95% of all spam delivered to my ISP accounts comes from dynamic IP addresses. 0% of the email I want to receive is delivered through dynamic IP addresses. While I don't use SORBS, I do use NJABL and DSBL. I have drawn IP addresses listed by NJABL, or by DSBL; and I can't send end-to-end from my MTA to AOL MX servers. Period. Blocking dynamic IP addresses is just plain sensible pro-active protection of the MX server.
You also said:
quote:
SORBS has a nasty habit of blacklisting entire ranges of IP's from well-known ISP's.
Some well-known ISPs include MCI/UUNet and SBC. Guess who are No.1 and No.2 in the Spamhaus list of Rokso hosting ISPs?
Both of these facts, the volume of spam sourced from dynamic IP address space, and the number of hard-core spammers hosted by well-known ISPs, are indisputable; and sufficient to support SORBS' decisions on blocking.
The worst of their actions are trying to levy financial costs for delisting. Everything else is, well; SPEWS and SCBL are at least as aggressive as SORBS.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum |
|
Suffering
Retrovertigo
Premium,VIP
join:2004-03-06
127.0.0.1
clubs:
| said by NormanS :What is so inaccurate about blocking dynamic IP addresses? while I don't think people should run mail servers on dynamic IP addresses (isn't the point of PTR records to show some sort of accountability) there is no way that sorbs or any other DNSBL that can make a distinction between a dynamic address and static.
said by NormanS :Some well-known ISPs include MCI/UUNet and SBC. Guess who are No.1 and No.2 in the Spamhaus list of Rokso hosting ISPs? again, maybe I should rephrase. They blacklist entire ranges of IP's from ISP's who actively seek out spammers on their network.
In principle I don't disagree with much of how sorbs operates, it's their execution and the lack of action of 'admins' who use their DNSBL.
--
kicking screaming gucci little piggy |
|
sweintz
Premium
join:2002-03-01
Hamden, CT
| said by Suffering :again, maybe I should rephrase. They blacklist entire ranges of IP's from ISP's who actively seek out spammers on their network. In principle I don't disagree with much of how sorbs operates, it's their execution and the lack of action of 'admins' who use their DNSBL. Hmmm... care to cite some examples? MCI and SBC, for instance, certainly do not actively seek out spammers. In fact they even ignore complaints when the spammers are pointed out to them. True of many large ISP's.
I think there is a big problem with public perception erroneously believing that the large major ISP's are the good guys in the spam war. Most of them are definitely "black hat", and the telco's are probably the worst. |
|
Suffering
Retrovertigo
Premium,VIP
join:2004-03-06
127.0.0.1
clubs:
2 edits | said by sweintz :Hmmm... care to cite some examples? sure. This is how it works with Qwest DSL:
First off they proactively scan the network for people that are infected with viruses/spam zombies. If you are flagged then whenever your machine requests http traffic your browser is redirected to a walled garden environment that tells you that you have _____ on your system... clean it up. The end user can acknowledge that they have an issue on their PC and then continue browsing (meanwhile the ports that the infection uses are blocked).
if the abuse department receives one complaint that includes header information leading back to a qwest subscriber that is spamming on the network (or if the person ignores the walled garden for a extended period of time, I think a month...) their account is disabled and they are kicked offline. After learning that Qwest has disabled the account because of some vulnerability on their system they are allowed to get it fixed (all the while they are offline) and if they assure Qwest it's fixed (kind of an honor system thing) then the account is re enabled.
They use a 3 strikes you're out system. They'll disable you 3 times. if you say you've fixed it and haven't 3 times... then sorry, you can't have Qwest as an ISP any longer.
--
kicking screaming gucci little piggy |
|
sweintz
Premium
join:2002-03-01
Hamden, CT
| said by Suffering :said by sweintz :Hmmm... care to cite some examples? sure. This is how it works with Qwest DSL: First off they proactively scan the network for people that are infected with viruses/spam zombies. If you are flagged then whenever your machine requests http traffic your browser is redirected to a walled garden environment that tells you that you have _____ on your system... clean it up. The end user can acknowledge that they have an issue on their PC and then continue browsing (meanwhile the ports that the infection uses are blocked). if the abuse department receives one complaint that includes header information leading back to a qwest subscriber that is spamming on the network (or if the person ignores the walled garden for a extended period of time, I think a month...) their account is disabled and they are kicked offline. After learning that Qwest has disabled the account because of some vulnerability on their system they are allowed to get it fixed (all the while they are offline) and if they assure Qwest it's fixed (kind of an honor system thing) then the account is re enabled. They use a 3 strikes you're out system. They'll disable you 3 times. if you say you've fixed it and haven't 3 times... then sorry, you can't have Qwest as an ISP any longer. Nice, but ...
For instance why do they continue to host the webfinity spammers, for two years running now, after numerous complaints?
Why do they continue to host Brian Kramer? Jeff Peter's? Why do they keep such notorious spammers as these on their network?
actively seek out spammers my @ss. They have had these pointed out to them. They do nothing about it. |
|
Krispy
Premium,VIP
join:2001-12-11
the stix
| reply to JJV
I work with SORBS on a regular basis and have for over 3 years. We have a good relationship with SORBS however we have also had our SMTP server listed on SORBS a few times and each time it was a warranted listing due to errors, miscommunication or unforeseen consequences on our end. I am regularly and often called on to justify, investigate and defend SORBS listings, to date I have only seen one error and SORBS immediately responded, resolved and apologized. Here's my feedback on SORBS, SORBS policy and the propaganda floating around (and likely initiated by the spam community) about SORBS,
1.)We voluntarily list our dynamic netblocks with SORBS as no dynamic IP should be sending mail. To be clear, we provide SORBS the netblocks for blacklisting and in the event we need this list modifying or a block removed we simply contact SORBS and ask for it to be removed and it is done within 24 hours and there is no donation necessary.
2.)There is NO payment to SORBS. SORBS asks that a $50 donation be made to a charity, they list a few charities on their site but you can donate to any charity you like and simply provide proof of donation to SORBS. For example last time we were listed we donated to the Earthquake Relief Fund. Again, SORBS makes no money from the $50 delist donation. The donation is a way to raise awareness to the issue and I can tell you firsthand that the policy works. Once a payment is necessary some level of management must be involved to approve and clueful management will inquire why it is necessary and I have firsthand seen this awareness change the spam policies in organizations...most recently I have seen this happen with Hotmail (yes, really!). Because of the $50 donation senior Hotmail management is now involved and are working proactively with SORBS and other aspects of the anti-spam community.
3.)Yes, SORBS is a particularly militant RBL and probably the most militant of the widely used and popular RBLS but this is simply because all other such RBL providers have been run off the internet by the spam community. By and large RBL providers are non-profit organizations run by volunteers so continuous DDoS attacks and legal threats from the spam community have unfortunately forced most of these providers off the net.
4.)It really sucks that it is necessary to blacklist entire netblocks in order to get providers attention but that is the case in these days were approx 80% of email sent is spam. Don't blame SORBS, blame those negligent providers that either willing ignore reports and/or don't support their security depts (or don't have a security dept) enough for them to handle these reports.
5.)I'm absolutely in awe of the logic of some providers *cough*Yahoo Groups*cough* *cough*Wannadoo*cough* that prefer to spend oodles of money on processing bounces and customer support staff to answer support questions instead of simply working with SORBS, possibly having to pay a measly $50 donation and making their customers happy...I just don't get it. And as for the claims of SORBS demanding $100s and/or $1000s of dollars for delists....if you have firsthand proof of this (aka: not something you heard from a friend of a friend of an online friend that was told this by a 1st tier rep at ISP X) IM me with the details and I'll follow up with SORBS as this is simply not the case.
6.)SORBS runs the list but they neither control nor force anyone to query their list. We query SORBS list to reduce spam but if ISP X's IP is listed on SORBS I have no ability to remove them from SORBS, only ISP X can work with SORBS to get removed. I'm always willing to help other admins (although it shouldn't be necessary) and we've even temporarily whitelisted providers once they prove they're working to resolve the matter with SORBS and they provide us 24/7 contact information - for example with Hotmail it's understandable that such a large organization will need time to figure it all out with SORBS and once we got contact with real live Hotmail people and they committed to working with SORBS we reacted and worked with them for the sake of our combined customers...providers that simply regurgitate the propaganda and bounce their customers around should be pressured by their customers to resolve the situation instead of shifting the blame.
I'm responsible for a network with over 250,000 high-speed hosts and somehow I'm able to keep SORBS from listing our network often, how do I do it you ask? Here's my quick and simple guide....
-have a working security dept that actions abuse reports
-management that understand the importance and value of an effective security dept and supports them
-react to RBL listings and work with the provider to get delisted
-(this one is a tricky one) READ THE SORBS WEBPAGE FOR DELIST INSTRUCTIONS AND FOLLOW THEM - crazy concept I know but it does work! Everytime we've been listed I've gotten us delisted in under 24 hours following this one simple rule
That last point is the most important, SORBS has alot of information on their site and if people would simply sit down and read it and try to understand it instead of buying into the propaganda being spread by the spam community we'd all reap the benefits plus poor customers wouldn't be bounced around by support departments.
Place the blame where it should lay, with the admins of netblocks that are spewing spam.
--
you can lead a horse to the water but you cannot make him drink...you can put a man through school but you cannot make him think --ben harper |
|
vaisg
join:2005-09-11
1 edit | Good response. People running blacklist are the most misunderstood people. For running it to help mail admins control their spam level, they get all the blame.
We use the blacklist voluntarily, no one force us to use it. Many are willing to risk the blocking a small amount of legit mails than to have the floodgate open for spam.
We prefer not to have tens and hundreds of infected machines hitting on our mail server trying to get spam across. We prefer not to have our users having to delete so much junk just to view their emails. These same bunch of criminals also send out ebay and paypal phishing, the sell pirated sw.
Blacklist seems most effective or we'll have to block half the world. |
|
ananymous
@tartergate.com
| reply to JJV
The people at Sorbs are a bunch of emotional idiots. They block people just because they complain to them. Perfectly legit servers get blocked by them, and if you raise hell with them when they want to extort cash from you to get unblocked, they'll you again.
No one should use that organization and they should be sewed. |
|
NormanS
Premium,MVM
join:2001-02-14
San Jose, CA
·Pacific Bell - SBC
| said by ananymous :
The people at Sorbs are a bunch of emotional idiots. They block people just because they complain to them. Perfectly legit servers get blocked by them, and if you raise hell with them when they want to extort cash from you to get unblocked, they'll you again.
No one should use that organization and they should be sewed.
They are no more emotional than many who complain about them.
Many legitimate servers get blocked, by other lists than SORBS, for generating "backscatter".
Are you that good with needle and thread? And shouldn't the past tense form of "sew" be, "sewn"?
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum |
|
sweintz
Premium
join:2002-03-01
Hamden, CT
| said by NormanS Many legitimate servers get blocked, by other lists than SORBS, for generating "backscatter".
[/BQUOTE :If a server is generating backscatter, it is not being run by competent admins and SHOULD be blacklisted. There is no need for "backscatter" - NDR (non delivery report) emails should NEVER be sent in this day and age. Period. Non deliverable mail should get a 550 error during the SMTP transaction. That completely eliminates the need to send a non-delivery report email back to the original sender. |
|
NormanS
Premium,MVM
join:2001-02-14
San Jose, CA
·Pacific Bell - SBC
| said by sweintz :If a server is generating backscatter, it is not being run by competent admins and SHOULD be blacklisted. There is no need for "backscatter" - NDR (non delivery report) emails should NEVER be sent in this day and age. Period. Non deliverable mail should get a 550 error during the SMTP transaction. That completely eliminates the need to send a non-delivery report email back to the original sender. Yes to the first. I went round with an SBC mail admin over a return to a forged email address. It turned out that the circumstance is rare; due to the fact that a "@pacbell.net" account which I closed was not cleaned up properly. SBC servers should be rejecting it, but aren't. I tried to explain to him that will keep the SBC output servers at risk of being blocked. The only reason that I saw it is because the spammer forged a "@netscape.net" account of mine as the sender, then tried to send it to my closed "@pacbell.net" account. He didn't seem to understand the fact that bouncing to the "Return-Path" was a bad thing, even in a rare circumstance. SBC servers normally reject email to a bad email address, using a 5xx error during the SMTP process. However, it appears that they don't completely erase a closed account under some odd circumstances.
OTOH, NDRs are not all bad. When my MX refuses to accept an email, returning a 5xx error to the relay SMTP client, it is entirely likely that the relay SMTP client knows exactly the right account to return the error notice to; after all, they are trying to deliver for that account.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum |
|
sweintz
Premium
join:2002-03-01
Hamden, CT
| said by NormanS :said by sweintz :OTOH, NDRs are not all bad. When my MX refuses to accept an email, returning a 5xx error to the relay SMTP client, it is entirely likely that the relay SMTP client knows exactly the right account to return the error notice to; after all, they are trying to deliver for that account. Yes. Let change what I said a bit... - the *receiving* MTA should never send an NDR. The originating NDR could, assuming it does not allow it's users to send mail claiming to be from outside domains. I think many ISP's still have their mail servers configured to allow relaying if the mail client is connecting from within that ISP's IP space. For instance, say I was a customer of badisp.com, had an IP address assigned by badisp.com, and my copy of outlook express set up to send mail through mail.badisp.com. I get a trojan/virus/malware that sends spoofed email out, using whatever server I have configured in Outlook Express. The virus connects to mail.badisp.com and attempts to send a spoofed email, issuing a MAIL FROM: <JOE.JOBBED.USER@SOME-OTHER-ISP.COM> mail.badisp.com is set up to allow users connecting from within badisp.com IP space to send mail cliaming whatever "from" address they want. Cheap and easy way to allow business customers of the ISP to send mail from their own domain name via the ISP's mail server without the ISP needing to change any security on the mail server. Now say the virus is detected at the receiving end and the mail gets 550'ed. If mail.badisp.com tries to send an NDR, it would go to joe.jobbed.user@some-other-isp.com. That is a Bad Thing (TM) in my opinion. |
|
NormanS
Premium,MVM
join:2001-02-14
San Jose, CA
·Pacific Bell - SBC
| said by sweintz :Yes. Let change what I said a bit... - the *receiving* MTA should never send an NDR. The originating NDR could, assuming it does not allow it's users to send mail claiming to be from outside domains. I think many ISP's still have their mail servers configured to allow relaying if the mail client is connecting from within that ISP's IP space. Yes. The originating MTA often allows a user to set a "Return-Path" different from the user account. OTOH, you can't use that MTA if you don't have authorization to use it. Most spammers don't use such MTAs to send their spam, they use spamming proxies; which don't generate NDRs.
If you send email through such an MTA, and forge my email address, yes, I will get the NDR. But, I will report it. The MTA administrator will get a complaint. Guess to whom they will go when they get the complaint? Guess whose account is at risk of termination? Yours.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum |
|
