Suffering
Retrovertigo
Premium,VIP
join:2004-03-06
127.0.0.1
clubs:
| reply to JJV
Re: SORBS got my buddy
ok, maybe I worded it wrong.
Sorbs has control over their list. If it's a dynamic IP they should change that.
Your buddy should tell that to sorbs so they change their list to show it's not a spammer IP but a dynamic IP address (which brings me to my problem with sorbs... if you are going to make a list of spammers IP addresses why would you include dynamic IP addresses? Why not work with the ISP's to find out if the IP address is static and if you determine it is static and the ISP's security dept will not turn that person off THEN block it? It's more work for sorbs, but it's a much more accurate tool.)
Or he could talk to whomever is blocking his mail (because they are using sorbs list).
Talking to sorbs would fix the issue.
--
Positive Affirmation Of Creative Destruction |
|
NormanS
Premium,MVM
join:2001-02-14
San Jose, CA
 ·Pacific Bell - SBC
| said by Suffering  :...(which brings me to my problem with sorbs... if you are going to make a list of spammers IP addresses why would you include dynamic IP addresses? Why not work with the ISP's to find out if the IP address is static and if you determine it is static and the ISP's security dept will not turn that person off THEN block it? It's more work for sorbs, but it's a much more accurate tool.) Or he could talk to whomever is blocking his mail (because they are using sorbs list). Talking to sorbs would fix the issue. Maybe, maybe not; fix the issue. SORBS does maintain a list of dynamic IP address space; as do other DNSBL maintainers. If the IP address in question is a dynamic IP address, only the ISP can request any changes, and only according to the SORBS criteria.
Accurate? Here is what is accurate. Better than 90% of the spam I get is sent through open proxies on compromised computers connecting via dynamic IP addresses. 0% of the good email I receive comes from dynamic IP addresses. Explain to me why I should not block email from dynamic IP address space? If you have a dynamic IP address, you also have an ISP SMTP server, in most cases. There are still a few email service providers which offer SMTP service at no charge.
The SORBS list works just fine for my MX; if it changes to match your criteria, I would stop using it. Indeed, if the DNSBLs were to suddenly disappear, I would run my own DNS and create my own blocking lists. I would not be alone.
--
Norman
~A deam, dream, no dream
~Voices of the night go across the forest
~A dream, dream, no dream
~Good night my good child |
|
sweintz
Premium
join:2002-03-01
Hamden, CT
| reply to Suffering
said by Suffering :ok, maybe I worded it wrong. Your buddy should tell that to sorbs so they change their list to show it's not a spammer IP Why? Given the complaints of fake rolex spam spewing from 209.165.130.11, i'd say it's accurate to list it as a spam source.
GCI needs to fix the problem by convincing SORBS it won't happen again. (the rolex spam, that is) |
|
Suffering
Retrovertigo
Premium,VIP
join:2004-03-06
127.0.0.1
clubs:
1 edit | said by sweintz :Why? Given the complaints of fake rolex spam spewing from 209.165.130.11, i'd say it's accurate to list it as a spam source. GCI needs to fix the problem by convincing SORBS it won't happen again. (the rolex spam, that is) So you are telling me that:
1.) you know for a fact that this IP address has always belonged to this guy.
2.) mail headers can't be forged?
GCI owes sorbs nothing. If anything sorbs needs to contact the ISP's before blacklisting them in order to verify that spam is being sent out on that IP and the ISP isn't going to do anything about it. (btw, sorbs won't take the 'we fixed it' answer... they will make you give a 'donation')
I've said it before in this thread; sorbs has absolutely no authority to try to exert this pseudo control over ISP's IP addresses. They lead people to believe that their ISP can just drop them a line and all is well in the internet world when this is far from the truth.
Of course we are operating under the assumption that this guy didn't do the spamming and someone else did, but I would hope that would go without saying.
--
kicking screaming gucci little piggy |
|
sweintz
Premium
join:2002-03-01
Hamden, CT
| said by Suffering :said by sweintz :Why? Given the complaints of fake rolex spam spewing from 209.165.130.11, i'd say it's accurate to list it as a spam source. GCI needs to fix the problem by convincing SORBS it won't happen again. (the rolex spam, that is) So you are telling me that: 1.) you know for a fact that this IP address has always belonged to this guy. irrelevant. It isn't his address now. It is GCI's mail server. The address and ISP has a documented history of abuse.
said by Suffering :2.) mail headers can't be forged? Parts of headers can be forged, but not the final (top) received header, since that is created by the receiving mail server, not the sender. Therefore we know with 100% certainty that the spam was indeed coming from the address in question. |
|
NormanS
Premium,MVM
join:2001-02-14
San Jose, CA
·Pacific Bell - SBC
| reply to Suffering
said by Suffering :If anything sorbs needs to contact the ISP's before blacklisting them in order to verify that spam is being sent out on that IP and the ISP isn't going to do anything about it. (btw, sorbs won't take the 'we fixed it' answer... they will make you give a 'donation') I've said it before in this thread; sorbs has absolutely no authority to try to exert this pseudo control over ISP's IP addresses. They lead people to believe that their ISP can just drop them a line and all is well in the internet world when this is far from the truth. •SORBS is under no obligation to contact an ISP before they add an IP address to their list.
•SORBS has the authority to control connections to their own MX servers.
•SORBS can say what they will about an IP address, as long as they can back up their claims.
Any email administrator who would use any DNSBL has the obligation to understand the nature of the DNSBL before they use it; and, to stop using it if enough of their customers complain about it.
SORBS is out of line to request financial consideration, even if it is only a charitable donation; but SORBS can't force anybody to use their list.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum |
|
sweintz
Premium
join:2002-03-01
Hamden, CT | well said, Norman.
Yeah, SORBS' charity donation thing is a bit much. but that's their own perogative.
Sorbs is just a list. period. they psuedocontrol nothing. |
|
Suffering
Retrovertigo
Premium,VIP
join:2004-03-06
127.0.0.1
clubs:
| reply to NormanS
NormanS I understand sorbs has no obligation to contact the ISP, but they shouldn't make it appear as though the ISP just needs to give them a jingle and the IP address will be removed.
I agree, sorbs has the authority to control their connections to their own mail servers.
I also agree, they can say whatever they want about an IP, however often their claims are unfounded (see my first post on page two).
I also agree that it's the mail server's admin that should understand and actually manage their DNSBL, however too many don't and (coming from personal experience here) will refer you to your ISP to have them contact sorbs.
my whole stance on sorbs is that they are too quick to blacklist, and greedy when it comes to taking you off the list.
--
kicking screaming gucci little piggy |
|
NormanS
Premium,MVM
join:2001-02-14
San Jose, CA
·Pacific Bell - SBC
| They are not greedy; they get nothing out of the levy they try to impose. Unless they are getting a kickback from the favorite charity of the admin paying their levy.
As for improper blocking, you have said this:
quote:
So, sorbs has blocked several completely legitimate dynamic IP addresses and then wants the ISP to contact THEM in order to verify that it's a dynamic IP address.
Sorbs has no authority to make such requests to have the ISP's contact them..
What is so inaccurate about blocking dynamic IP addresses? 95% of all spam delivery attempts to my MX server, and 95% of all spam delivered to my ISP accounts comes from dynamic IP addresses. 0% of the email I want to receive is delivered through dynamic IP addresses. While I don't use SORBS, I do use NJABL and DSBL. I have drawn IP addresses listed by NJABL, or by DSBL; and I can't send end-to-end from my MTA to AOL MX servers. Period. Blocking dynamic IP addresses is just plain sensible pro-active protection of the MX server.
You also said:
quote:
SORBS has a nasty habit of blacklisting entire ranges of IP's from well-known ISP's.
Some well-known ISPs include MCI/UUNet and SBC. Guess who are No.1 and No.2 in the Spamhaus list of Rokso hosting ISPs?
Both of these facts, the volume of spam sourced from dynamic IP address space, and the number of hard-core spammers hosted by well-known ISPs, are indisputable; and sufficient to support SORBS' decisions on blocking.
The worst of their actions are trying to levy financial costs for delisting. Everything else is, well; SPEWS and SCBL are at least as aggressive as SORBS.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum |
|
Suffering
Retrovertigo
Premium,VIP
join:2004-03-06
127.0.0.1
clubs:
| said by NormanS :What is so inaccurate about blocking dynamic IP addresses? while I don't think people should run mail servers on dynamic IP addresses (isn't the point of PTR records to show some sort of accountability) there is no way that sorbs or any other DNSBL that can make a distinction between a dynamic address and static.
said by NormanS :Some well-known ISPs include MCI/UUNet and SBC. Guess who are No.1 and No.2 in the Spamhaus list of Rokso hosting ISPs? again, maybe I should rephrase. They blacklist entire ranges of IP's from ISP's who actively seek out spammers on their network.
In principle I don't disagree with much of how sorbs operates, it's their execution and the lack of action of 'admins' who use their DNSBL.
--
kicking screaming gucci little piggy |
|
sweintz
Premium
join:2002-03-01
Hamden, CT
| said by Suffering :again, maybe I should rephrase. They blacklist entire ranges of IP's from ISP's who actively seek out spammers on their network. In principle I don't disagree with much of how sorbs operates, it's their execution and the lack of action of 'admins' who use their DNSBL. Hmmm... care to cite some examples? MCI and SBC, for instance, certainly do not actively seek out spammers. In fact they even ignore complaints when the spammers are pointed out to them. True of many large ISP's.
I think there is a big problem with public perception erroneously believing that the large major ISP's are the good guys in the spam war. Most of them are definitely "black hat", and the telco's are probably the worst. |
|
Suffering
Retrovertigo
Premium,VIP
join:2004-03-06
127.0.0.1
clubs:
2 edits | said by sweintz :Hmmm... care to cite some examples? sure. This is how it works with Qwest DSL:
First off they proactively scan the network for people that are infected with viruses/spam zombies. If you are flagged then whenever your machine requests http traffic your browser is redirected to a walled garden environment that tells you that you have _____ on your system... clean it up. The end user can acknowledge that they have an issue on their PC and then continue browsing (meanwhile the ports that the infection uses are blocked).
if the abuse department receives one complaint that includes header information leading back to a qwest subscriber that is spamming on the network (or if the person ignores the walled garden for a extended period of time, I think a month...) their account is disabled and they are kicked offline. After learning that Qwest has disabled the account because of some vulnerability on their system they are allowed to get it fixed (all the while they are offline) and if they assure Qwest it's fixed (kind of an honor system thing) then the account is re enabled.
They use a 3 strikes you're out system. They'll disable you 3 times. if you say you've fixed it and haven't 3 times... then sorry, you can't have Qwest as an ISP any longer.
--
kicking screaming gucci little piggy |
|
sweintz
Premium
join:2002-03-01
Hamden, CT
| said by Suffering :said by sweintz :Hmmm... care to cite some examples? sure. This is how it works with Qwest DSL: First off they proactively scan the network for people that are infected with viruses/spam zombies. If you are flagged then whenever your machine requests http traffic your browser is redirected to a walled garden environment that tells you that you have _____ on your system... clean it up. The end user can acknowledge that they have an issue on their PC and then continue browsing (meanwhile the ports that the infection uses are blocked). if the abuse department receives one complaint that includes header information leading back to a qwest subscriber that is spamming on the network (or if the person ignores the walled garden for a extended period of time, I think a month...) their account is disabled and they are kicked offline. After learning that Qwest has disabled the account because of some vulnerability on their system they are allowed to get it fixed (all the while they are offline) and if they assure Qwest it's fixed (kind of an honor system thing) then the account is re enabled. They use a 3 strikes you're out system. They'll disable you 3 times. if you say you've fixed it and haven't 3 times... then sorry, you can't have Qwest as an ISP any longer. Nice, but ...
For instance why do they continue to host the webfinity spammers, for two years running now, after numerous complaints?
Why do they continue to host Brian Kramer? Jeff Peter's? Why do they keep such notorious spammers as these on their network?
actively seek out spammers my @ss. They have had these pointed out to them. They do nothing about it. |
|
