Hello, Is anyone from SORBS still listening? We have a few IP addresses here and there that are listed, one in particular that has been for a spam incident from over a year ago. The "last spam" date is 03/05/2011 according to their lookup tools. We don't have access to their Net Manager even if our ARIN POC corresponds to the account on their system we opened a while ago. We use their ISP feedback form and never get any responses back. Is SORBS still relevant and functional? Sincerely, Chris Conn B2B2C.ca
Good luck. Last time we heard back from them they were trying to extort us for $18,000 to have a huge block of Ips removed. They were listed from the day we received them from arin. After that we gave up on SORBS. On 4/4/12 3:53 PM, "Chris Conn" <cconn@b2b2c.ca> wrote:
Hello,
Is anyone from SORBS still listening? We have a few IP addresses here and there that are listed, one in particular that has been for a spam incident from over a year ago. The "last spam" date is 03/05/2011 according to their lookup tools.
We don't have access to their Net Manager even if our ARIN POC corresponds to the account on their system we opened a while ago. We use their ISP feedback form and never get any responses back.
Is SORBS still relevant and functional?
Sincerely,
Chris Conn B2B2C.ca
They're still functional, still used by companies but I wouldn't make any observation on them running 'well'. A friend's office IP range got blocked and unblocked recently by them so they do seem to remove entries. Beyond that on NANOG you're pretty much into "light blue touch paper and retire to a safe distance" territory even mentioning them. There is a good chance you might get a reply from Sorbs here, they almost always seem to respond when things get raised on NANOG. Paul On 04/04/2012 09:53 AM, Chris Conn wrote:
Hello,
Is anyone from SORBS still listening? We have a few IP addresses here and there that are listed, one in particular that has been for a spam incident from over a year ago. The "last spam" date is 03/05/2011 according to their lookup tools.
We don't have access to their Net Manager even if our ARIN POC corresponds to the account on their system we opened a while ago. We use their ISP feedback form and never get any responses back.
Is SORBS still relevant and functional?
Sincerely,
Chris Conn B2B2C.ca
On 4 April 2012 12:53, Chris Conn <cconn@b2b2c.ca> wrote:
Hello,
Is anyone from SORBS still listening? We have a few IP addresses here and there that are listed, one in particular that has been for a spam incident from over a year ago. The "last spam" date is 03/05/2011 according to their lookup tools.
We don't have access to their Net Manager even if our ARIN POC corresponds to the account on their system we opened a while ago. We use their ISP feedback form and never get any responses back.
Is SORBS still relevant and functional?
I've been trying to login to their 'support' interface for a while now. Emails from them for creating a new account or trying to recover a password for an existing account don't actually come to me. I actually wrote Girish from the company that purchased SORBS (Proofpoint) about it (also CC'd here) and I have had no reply whatsoever either. I think we should all just NULL ROUTE all of their IP space on our borders to get their attention. Regards, Landon
Landon Stewart wrote:
I think we should all just NULL ROUTE all of their IP space on our borders to get their attention.
Yeah you're free to do that, as well as complain about it and SORBS in turn is free to put whatever the hell they feel like on their block lists and not remove it at all, ever, for whatever reason. One common theme I did notice in the countless and, dare I say, tiresome complaints about SORBS is that it hardly ever helps and may even make it worse. It's best to not complain about it and just accept it as a fact of life your IPs are listed on SORBS and move on. It's not the end of the world. Greetings, Jeroen -- Earthquake Magnitude: 3.0 Date: Wednesday, April 4, 2012 20:59:13 UTC Location: Baja California, Mexico Latitude: 32.6142; Longitude: -115.8417 Depth: 2.90 km
On 4 April 2012 14:21, Jeroen van Aart <jeroen@mompl.net> wrote:
Landon Stewart wrote:
I think we should all just NULL ROUTE all of their IP space on our borders to get their attention.
Yeah you're free to do that, as well as complain about it and SORBS in turn is free to put whatever the hell they feel like on their block lists and not remove it at all, ever, for whatever reason.
The latter part of that sentence has already been confirmed for years now.
It's best to not complain about it and just accept it as a fact of life your IPs are listed on SORBS and move on. It's not the end of the world.
It turns into a customer service issue for most service providers.
On 4/4/12 3:36 PM, Landon Stewart wrote:
It's best to not complain about it and just accept it as a fact of life your IPs are listed on SORBS and move on. It's not the end of the world.
It turns into a customer service issue for most service providers.
Eh, guess they'll just have to absorb the cost of that, like its expected that the recipients of spam have to absorb the cost of ISPs not disconnecting infected/spamming customers... And like how I have to absorb the costs of spending my time during the day answering removal requests from people who lie to me constantly and hope that I don't notice their little games. Ever wonder why it takes time for DNSbl's to process removals, sometimes very long periods? Well, someone's gotta pay for that time the removal person does it (and I have yet to see a dime of compensation for the time I spend). -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org
On Apr 6, 2012, at 10:54 , Brielle Bruns wrote:
On 4/4/12 3:36 PM, Landon Stewart wrote:
It's best to not complain about it and just accept it as a fact of life your IPs are listed on SORBS and move on. It's not the end of the world.
It turns into a customer service issue for most service providers.
Eh, guess they'll just have to absorb the cost of that, like its expected that the recipients of spam have to absorb the cost of ISPs not disconnecting infected/spamming customers...
And like how I have to absorb the costs of spending my time during the day answering removal requests from people who lie to me constantly and hope that I don't notice their little games.
Ever wonder why it takes time for DNSbl's to process removals, sometimes very long periods? Well, someone's gotta pay for that time the removal person does it (and I have yet to see a dime of compensation for the time I spend).
No, they don't. Many DNSBLs use self-service tools. Someone has to write the tool, but the rest is automated. Total cost is power & space, which is frequently donated (I have personally donated some myself to DNSBLs I thought were well run). Besides, anyone who knowingly causes harm to a third party and claims "it is a cost of doing business" or "mostly people like it" or "our $FOO is targeted and almost always correct, you must be an outlier and that's why it costs you" sound -exactly- like spammers to me. Spammer who are up-front about it I can deal with. Don't agree with or even like them, but at least we understand each other. Hypocrisy is a different story. -- TTFN, patrick
On 4/6/12 9:02 AM, Patrick W. Gilmore wrote:
No, they don't. Many DNSBLs use self-service tools. Someone has to write the tool, but the rest is automated. Total cost is power& space, which is frequently donated (I have personally donated some myself to DNSBLs I thought were well run).
Proxy removals and automated additions are self service removals. I don't trust automated removal for stuff that we add by hand. Too many variables, too much in the way of games... If I were to let the people in spam-sources request removal and handle removal entirely on their own without one of us reviewing it by hand, there'd be no entries left in my database.
Besides, anyone who knowingly causes harm to a third party and claims "it is a cost of doing business" or "mostly people like it" or "our $FOO is targeted and almost always correct, you must be an outlier and that's why it costs you" sound -exactly- like spammers to me.
I was more pointing out to people that you expect someone else, who you've got no contractual obligation with, or relationship with, to make time and effort to handle a request you made. All I hear these days from people is that I have no right to tell them who they can have as customers, or how to run their business. Well, the reverse applies as well. I take great offense to people telling me how to run my own service, that I provide free at no charge with no obligations. When a provider actually works with me to resolve an issue, I bend over backwards to help them. Unfortunately, those kinds of providers are few and far in between.
Spammer who are up-front about it I can deal with. Don't agree with or even like them, but at least we understand each other. Hypocrisy is a different story.
Unfortunately, the apathy of providers, backbones, and network operators in general have created an environment that the almighty buck rules everything. Yeah, I've had offers for financial support of the AHBL. Turned them down every time, even though it would give me a chance to hire actual people to run it. But, then, I'd have someone hanging over my shoulder, pulling strings and interfering with my project. My independence goes out the window, and I can't truly say I have no financial interest in the listings. So, forgive me if my independence as a non-commercial DNSbl makes me somewhat jaded towards people who expect me to prioritize their demands over what pays the bills. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org
This seems like a very 1999 anti-spam attitude. I have been doing anti-spam a long long time - literally since before Canter and Siegel (who I had as customers...) and before jj@cup.portal.com. It's not 1999 anymore. Patrick is not the enemy. Your attitude is worrying. The "I am not responsible for who uses the blacklist or what that means" isn't good enough anymore. George William Herbert Sent from my iPhone On Apr 6, 2012, at 8:37, Brielle Bruns <bruns@2mbit.com> wrote:
On 4/6/12 9:02 AM, Patrick W. Gilmore wrote:
No, they don't. Many DNSBLs use self-service tools. Someone has to write the tool, but the rest is automated. Total cost is power& space, which is frequently donated (I have personally donated some myself to DNSBLs I thought were well run).
Proxy removals and automated additions are self service removals. I don't trust automated removal for stuff that we add by hand. Too many variables, too much in the way of games...
If I were to let the people in spam-sources request removal and handle removal entirely on their own without one of us reviewing it by hand, there'd be no entries left in my database.
Besides, anyone who knowingly causes harm to a third party and claims "it is a cost of doing business" or "mostly people like it" or "our $FOO is targeted and almost always correct, you must be an outlier and that's why it costs you" sound -exactly- like spammers to me.
I was more pointing out to people that you expect someone else, who you've got no contractual obligation with, or relationship with, to make time and effort to handle a request you made.
All I hear these days from people is that I have no right to tell them who they can have as customers, or how to run their business.
Well, the reverse applies as well. I take great offense to people telling me how to run my own service, that I provide free at no charge with no obligations.
When a provider actually works with me to resolve an issue, I bend over backwards to help them. Unfortunately, those kinds of providers are few and far in between.
Spammer who are up-front about it I can deal with. Don't agree with or even like them, but at least we understand each other. Hypocrisy is a different story.
Unfortunately, the apathy of providers, backbones, and network operators in general have created an environment that the almighty buck rules everything.
Yeah, I've had offers for financial support of the AHBL. Turned them down every time, even though it would give me a chance to hire actual people to run it. But, then, I'd have someone hanging over my shoulder, pulling strings and interfering with my project. My independence goes out the window, and I can't truly say I have no financial interest in the listings.
So, forgive me if my independence as a non-commercial DNSbl makes me somewhat jaded towards people who expect me to prioritize their demands over what pays the bills.
-- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org
On 04/06/2012 08:49 AM, George Herbert wrote:
This seems like a very 1999 anti-spam attitude.
I have been doing anti-spam a long long time - literally since before Canter and Siegel (who I had as customers...) and before jj@cup.portal.com.
It's not 1999 anymore. Patrick is not the enemy. Your attitude is worrying. The "I am not responsible for who uses the blacklist or what that means" isn't good enough anymore.
I wonder how long a popularish blacklist operator would last if they, oh say, blacklisted all of google or microsoft before they got some very threatening letters from their legal staff. An hour? A day? A week? You may have the right to list them and change your mind in your own good time, but they also have the right to defend their reputation civilly too. With great power comes great responsibility and all that. Mike
On 4/6/12 10:02 AM, Michael Thomas wrote:
I wonder how long a popularish blacklist operator would last if they, oh say, blacklisted all of google or microsoft before they got some very threatening letters from their legal staff. An hour? A day? A week?
You may have the right to list them and change your mind in your own good time, but they also have the right to defend their reputation civilly too. With great power comes great responsibility and all that.
Slippery slope. For large providers who depend alot on spam filters, thats one huge door to open that could get very ugly very quick in the reverse path. Imagine every ISP suing hotmail and google for blocking messages for arbitrary reasons with no apparent justification. What's good for the goose is good for the gander. There's also USC 47,230 to contend with. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org
On 04/06/2012 09:17 AM, Brielle Bruns wrote:
On 4/6/12 10:02 AM, Michael Thomas wrote:
I wonder how long a popularish blacklist operator would last if they, oh say, blacklisted all of google or microsoft before they got some very threatening letters from their legal staff. An hour? A day? A week?
You may have the right to list them and change your mind in your own good time, but they also have the right to defend their reputation civilly too. With great power comes great responsibility and all that.
Slippery slope.
For large providers who depend alot on spam filters, thats one huge door to open that could get very ugly very quick in the reverse path. Imagine every ISP suing hotmail and google for blocking messages for arbitrary reasons with no apparent justification.
What's good for the goose is good for the gander.
There's also USC 47,230 to contend with.
It's more of an arms race than a slippery slope, but my point is that a big enough company would absolutely respond if they felt a big enough blacklist was being capricious in a way that was affecting their making money. I sympathize with "my blacklist, my donated time, my rules", but when you're affecting their business, you better get it right and better respond reasonably when the inevitable screwups happen. The one absolute right you have is to not be in the blacklist business (paid or not) at all. Beyond that, you have responsibilities too, and it would be best for everybody to not take them lightly causing the entire thing to get escalated to the legal domain where everybody most likely loses. Mike
On 4/6/2012 12:35 PM, Michael Thomas wrote:
On 04/06/2012 09:17 AM, Brielle Bruns wrote:
On 4/6/12 10:02 AM, Michael Thomas wrote:
I wonder how long a popularish blacklist operator would last if they, oh say, blacklisted all of google or microsoft before they got some very threatening letters from their legal staff. An hour? A day? A week?
You may have the right to list them and change your mind in your own good time, but they also have the right to defend their reputation civilly too. With great power comes great responsibility and all that.
Slippery slope.
For large providers who depend alot on spam filters, thats one huge door to open that could get very ugly very quick in the reverse path. Imagine every ISP suing hotmail and google for blocking messages for arbitrary reasons with no apparent justification.
What's good for the goose is good for the gander.
There's also USC 47,230 to contend with.
It's more of an arms race than a slippery slope, but my point is that a big enough company would absolutely respond if they felt a big enough blacklist was being capricious in a way that was affecting their making money.
I sympathize with "my blacklist, my donated time, my rules", but when you're affecting their business, you better get it right and better respond reasonably when the inevitable screwups happen. The one absolute right you have is to not be in the blacklist business (paid or not) at all. Beyond that, you have responsibilities too, and it would be best for everybody to not take them lightly causing the entire thing to get escalated to the legal domain where everybody most likely loses.
What grounds would these large senders have to file any legal objections against an RBL? RBLs don't block emails. Operators of mail servers who use RBLs block emails (in part) based on information from RBLs. Noone has a "right" to send email to anyone else. Email is a cooperative agreement between sender and receiver. The receiver agrees to accept the email, but at any time and for any reason the receiver can stop agreeing to accept emails from a sender. It is completely legal to decide not to accept (i.e. block) emails from a sender. RBLs are not beholden to senders. RBLs are beholden to the receivers who use their RBL to preserve the quality of the RBL. RBLs are a meritocracy. If an RBL either lists too many valid senders or does not list enough bad senders, then receivers will notice and stop using the RBL on their servers. -DMM
On 07/04/12 05:11, David Miller wrote:
RBLs don't block emails. Operators of mail servers who use RBLs block emails (in part) based on information from RBLs.
If only one could convince end-users of this fact. More often than not, end-user simply sees the company that they pay to provide them with email service, unable to provide it.
Noone has a "right" to send email to anyone else. Email is a cooperative agreement between sender and receiver. The receiver agrees to accept the email, but at any time and for any reason the receiver can stop agreeing to accept emails from a sender. It is completely legal to decide not to accept (i.e. block) emails from a sender.
Absolutely true. Of course, for the vast majority of end-users, they're simply expecting to be able to exchange email with anyone that has an email address. There's no connection between the end user, their local mail service providers administrators, and the decisions they make about who they'll exchange email with. Nevermind trying to make connections between mail service providers...
RBLs are not beholden to senders. RBLs are beholden to the receivers who use their RBL to preserve the quality of the RBL. RBLs are a meritocracy. If an RBL either lists too many valid senders or does not list enough bad senders, then receivers will notice and stop using the RBL on their servers.
Or receivers will be oblivious, and simply not care. (They don't know what they're not receiving). Consider an MSP with say, 1 Million mailboxes. What proportion of those customers are going to need to be affected by a poor RBL-based decision, and what proportion of those are going to be motivated to complain, and what proportion of those are going to get the attention of the right people, and what proportion of those will count for enough that the relevant beancounters see fit to change their RBL usage? Whilst i'm sure there's some players out there bucking the trend, the reality is that the senders MSP wind up carrying a lot of the cost; they have to find an out-of-band method of engaging the receiving MSP, advising them of the predicament, and justifying some sort of exception; they also obviously have to be seen to try to get off the RBL (and we've seen how hard SORBS, notably, make this) and the receiving ISP can fall back on the 'well everyone else is fine, so the vast majority of our expected inbound email is fine, why should we care about you, and change our behavior because of it?' .... Sending MSP then has to try to explain the reality to their customer, and risk losing business because their competitor isn't (right now) having the same problems... Bottom of my rambly-line is that as a major point of issue with your post; you're posting the position of the Network or Mail Service Operator as it 'should' be, but not indeed how it actually is, in practise. (And FWIW I agree with the poster who pointed out that RBL's would be unnecessary if network operators took responsibility for the behavior of their networks (ala their customers). The small players are usually pretty damn good. It seems that the bigger you get, the less you care about issues that affect a smaller proportion of your scale. Which probably explains the attitude that several of the big players take around rejecting email due to obscure reasons... Mark.
On 4/6/12 9:49 AM, George Herbert wrote:
This seems like a very 1999 anti-spam attitude.
I have been doing anti-spam a long long time - literally since before Canter and Siegel (who I had as customers...) and beforejj@cup.portal.com.
It's not 1999 anymore. Patrick is not the enemy. Your attitude is worrying. The "I am not responsible for who uses the blacklist or what that means" isn't good enough anymore.
I know he's not the enemy. Hate the idea that he would be. The only reason why I responded the way I did, was because I sit here, watching everyone talk about how SORBS is bad this, how they are bad that, how they need to change this, and how they need to change how they operate to their guidelines, not SORBS's guidelines. Its not directed at Patrick. I just got the feeling like he was saying its okay for these people to dictate how SORBS operates. Like its been said, DNSbl's have a right to run as they see fit, and handle removals as they see fit. Just like every ISP has the right to run their network as they see fit, and refuse to remove spamming customers and deal with network abuse. I've been working on variations of the AHBL since 1998 or so under different names, so if I seem 'old school' in my beliefs how the DNSbl is run, that's probably why. Reality is, people use a DNSbl how they see fit. I can't really control that without restricting access, requiring payments or registration, etc. I gave up years ago trying to tell people how not to use it, since noone actually listens. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org
Brielle Bruns wrote:
Unfortunately, the apathy of providers, backbones, and network operators in general have created an environment that the almighty buck rules everything.
I totally agree with pretty much everything in this email. I also agree that blocking whole /24 or bigger when spam has been detected to come from such a block is more often than not a necessity. It's very unlikely to see 1 abuser in between an otherwise perfectly behaving network neighbourhood. Greetings, Jeroen -- Earthquake Magnitude: 5.5 Date: Friday, April 6, 2012 19:24:11 UTC Location: Kepulauan Mentawai region, Indonesia Latitude: -3.3944; Longitude: 100.4205 Depth: 1.00 km
On Fri, Apr 6, 2012 at 8:13 PM, Jeroen van Aart <jeroen@mompl.net> wrote:
Brielle Bruns wrote: to come from such a block is more often than not a necessity. It's very unlikely to see 1 abuser in between an otherwise perfectly behaving network neighbourhood.
That's kind of vague to say it's "unlikely to see 1 abuser". What is the probability that more IPs in the same /24 are likely to harbor abusers, given that you have received abuse from one IP? And how have you discovered this? ( What is the criteria used to determine that it is unlikely, and what is your source of the information?) Are you assuming that if you've seen the abuse, that you probably weren't the first victim, that the ISP has probably already been notified by someone else, that they have likely had a reasonable amount of time to put a stop to the abuse, and that they failed to do so? There is the one good case where a single abuser has a dynamic IP address; but it's not a safe assumption that they will live in the same /24 next time the abuser dials in. So not only does listing an entire /24 list innocent users' IP addresses, it also does not necessarily effectively list the one abuser. -- -JH
i dont think anyone would miss sorbs if it was gone, dare i say it not even a single person On Fri, Apr 6, 2012 at 9:48 PM, Jimmy Hess <mysidia@gmail.com> wrote:
On Fri, Apr 6, 2012 at 8:13 PM, Jeroen van Aart <jeroen@mompl.net> wrote:
Brielle Bruns wrote: to come from such a block is more often than not a necessity. It's very unlikely to see 1 abuser in between an otherwise perfectly behaving network neighbourhood.
That's kind of vague to say it's "unlikely to see 1 abuser". What is the probability that more IPs in the same /24 are likely to harbor abusers, given that you have received abuse from one IP?
And how have you discovered this? ( What is the criteria used to determine that it is unlikely, and what is your source of the information?)
Are you assuming that if you've seen the abuse, that you probably weren't the first victim, that the ISP has probably already been notified by someone else, that they have likely had a reasonable amount of time to put a stop to the abuse, and that they failed to do so?
There is the one good case where a single abuser has a dynamic IP address; but it's not a safe assumption that they will live in the same /24 next time the abuser dials in.
So not only does listing an entire /24 list innocent users' IP addresses, it also does not necessarily effectively list the one abuser.
-- -JH
On Fri, 06 Apr 2012 20:48:44 -0500, Jimmy Hess said:
That's kind of vague to say it's "unlikely to see 1 abuser". What is the probability that more IPs in the same /24 are likely to harbor abusers, given that you have received abuse from one IP?
It's similar to pirhanas or cockroaches - they can't be found everywhere, but if you spot one in a location, there's a near certainty that there's plent more in the area. Or if you don't like that, you can run a simple Monte Carlo simulation. Assume 256 customer slots, and that initially, there is a 3% chance that the next customer to arrive is evil. Also add a feedback - each time you terminate an evil customer in less than the average arrival time, the chance the next customer is evil is cut by 10% of the current value. Each time an evil customer is allowed to last 3 times the average arrival time, the chance of an evil customer goes up 10%. Simulate for various termination times for evil customers. Are there any steady-state solutions where the *average* number of evil users is one? Or does it decay down towards zero or upwards towards a high number?
The day SORBS goes away is the day abuse@yahoo.com starts functioning properly and yahoo starts booting spammers. The day SORBS goes away is the day BS like this stops happening: ----- The following addresses had permanent fatal errors ----- <abuse@noc.privatedns.com> (reason: 554 rejected due to spam content) -Dan
err, i dont know but yahoo hasnt yet acquired this random webhost whose abuse you're trying to mail On Friday, April 6, 2012, goemon@anime.net wrote:
The day SORBS goes away is the day abuse@yahoo.com starts functioning properly and yahoo starts booting spammers.
The day SORBS goes away is the day BS like this stops happening:
----- The following addresses had permanent fatal errors ----- <abuse@noc.privatedns.com> (reason: 554 rejected due to spam content)
-Dan
-- Suresh Ramasubramanian (ops.lists@gmail.com)
On Sat, 07 Apr 2012 07:00:52 +0530, Suresh Ramasubramanian said:
err, i dont know but yahoo hasnt yet acquired this random webhost whose abuse you're trying to mail
----- The following addresses had permanent fatal errors ----- <abuse@noc.privatedns.com> (reason: 554 rejected due to spam content)
Right - that one is doing stupid stuff like filtering out spam reports sent to abuse@ because they contain spam all by itself, without Yahoo's assistance. Yahoo is only a hegemony among spam havens, not a monopoly. There's still freelance havens out there, and they'll go away when SORBS does. I'm not so sanguine about Yahoo's chances of lasting till then though...
On Sat, Apr 7, 2012 at 7:25 AM, <Valdis.Kletnieks@vt.edu> wrote:
Yahoo is only a hegemony among spam havens, not a monopoly. There's still freelance havens out there, and they'll go away when SORBS does.
Sorbs did have a decent set of traps - and did catch a lot of spam. The problem was atrociously poor maintenance - stale entries, entries that'd reappear due to db issues, people skills of the volunteers handling the queue .. I'd have thought there'd be some improvement with their being acquired. Got to see. -- Suresh Ramasubramanian (ops.lists@gmail.com)
the yahoo item was a point all its own, unrelated to iweb's idiocy. yahoo no longer care to receive abuse reports from anyone at all. -Dan On Sat, 7 Apr 2012, Suresh Ramasubramanian wrote:
err, i dont know but yahoo hasnt yet acquired this random webhost whose abuse you're trying to mail
On Friday, April 6, 2012, goemon@anime.net wrote:
The day SORBS goes away is the day abuse@yahoo.com starts functioning properly and yahoo starts booting spammers.
The day SORBS goes away is the day BS like this stops happening:
----- The following addresses had permanent fatal errors ----- <abuse@noc.privatedns.com> (reason: 554 rejected due to spam content)
-Dan
-- Suresh Ramasubramanian (ops.lists@gmail.com)
Yahoo's "personnel" have long since demonstrated that (a) they couldn't possibly care less about the spam, phishing, and other forms of abuse that they're emanating, supporting or hosting on a systemic and chronic basis (b) they are incapable of recognizing their own users, hosts, and networks even when same are explicitly pointed out to them (c) under no circumstances will they take any prompt or effective action -- they will, however, repeatedly lie about it and/or pass on complainers' personal information to the abusers so that they can retaliate. ---rsk
On Sat, 7 Apr 2012, Rich Kulawiec wrote: I recently had a similar run-in with another ISP unrelated to Yahoo. It involved a phishing site on one of their customers. Countless emails to their abuse@ email went unanswered. Then one day I bumped into their VP who was trying to sell me something. I asked him about why they apppear so high on Ironport Senderbase with a huge spam pool as well as phishing sites that are not taken down. His answer, which might mirror Yahoo's (or not), was that at a corporate level they decided to only handle issues like this via a court order. They did not think it appropriate to interfere with their customers data in any sort of way unless a court order told them to make it stop. Clearly, this is idiotic reasoning and only when others start blocking their IP ranges and DNS servers will they ever wake up. But when the ISP is big enough, they think no one will block them and if they do it will just be small cases and nothing massive that would make them into a 2nd league ISP. This therefore becomes a cost savings area since you no longer need any abuse staff to handle your customers. You just ignore it all. -Hank
Yahoo's "personnel" have long since demonstrated that (a) they couldn't possibly care less about the spam, phishing, and other forms of abuse that they're emanating, supporting or hosting on a systemic and chronic basis (b) they are incapable of recognizing their own users, hosts, and networks even when same are explicitly pointed out to them (c) under no circumstances will they take any prompt or effective action -- they will, however, repeatedly lie about it and/or pass on complainers' personal information to the abusers so that they can retaliate.
---rsk
On Sat, Apr 07, 2012 at 08:33:10PM +0300, Hank Nussbacher wrote:
On Sat, 7 Apr 2012, Rich Kulawiec wrote: Clearly, this is idiotic reasoning and only when others start blocking their IP ranges and DNS servers will they ever wake up.
But how idiotic is it? Do you have all Yahoo IP space and domains blocked on your mail server? How many mailboxes does that cover? What percentage of Yahoo's daily e-mail volume are you blocking, and how much of a rat's arse do you think Yahoo cares? I think you can see where I'm going with this. It's only "idiotic reasoning" if it doesn't work, and so far as I can see, it's working just great -- there are effectively service providers who are "too big to fai^Wblock", and so they get away with things that everyone else would only dream of. They do care about the "almighty buck" more than the 'net, but I'd say that almost all of us do, because almost none of us are willing to take the plunge and block Yahoo and other giant providers of spam and other abuse. (For the record, I'm in this camp, too -- I'm not willing to lose my job -- my almighty buck -- for taking the step of blocking Yahoo, so I'm not any sort of trailblazer along this path). To anyone out there who is blocking Yahoo, and is big enough for them to take notice, bravo to you! Speak up, tell the world what you're doing, and it might give the rest of us the courage and the precedent to do the same. - Matt -- A friend is someone you can call to help you move. A best friend is someone you can call to help you move a body.
Something I'm considering is just limiting the max size of an email from Yahoo severely, enough to say "I've changed my address from yahoo to _______". We get pounded day and night with multimegabyte (per each) spam emails from them. Yahoo isn't the only one but the most frequent. -- -Barry Shein The World | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
On Apr 7, 2012, at 6:35 PM, Barry Shein wrote:
Something I'm considering is just limiting the max size of an email from Yahoo severely, enough to say "I've changed my address from yahoo to _______".
We get pounded day and night with multimegabyte (per each) spam emails from them.
Yahoo isn't the only one but the most frequent.
As for Yahoo, the problem will probably go away on its own over time. The problem with companies that are in questionable/bad financial shape is that they defund many activities that do not seem important but actually are. These, such as abuse handling, will actually cause them to increase their spiral down by causing more customers away. Another item of interest is that Yahoo says they will only accept ARF (RFC-5965) reports to "abuse@" However, they reject all ARF abuse reports just like the plain text ones. So much for standards support.... As an aside, one can not/will not/may not block all their mailservers but I would suggest blocking all mail that contains their shortener, y.ahoo.it. It is highly abused and they don't respond to abuse reports on it either. Its a real shame that the original high quality search engine/company that everyone aspired to be on has fallen so far both financially and in quality. As for SORBS, most competent mail admins dropped its use a long time ago. I thought when Proofpoint took it over things would change (I actually thought they would dump the SORBS name because of bad karma) but it hasn't happened.
On Apr 7, 2012, at 4:41 PM, TR Shaw wrote:
As for SORBS, most competent mail admins dropped its use a long time ago. I thought when Proofpoint took it over things would change (I actually thought they would dump the SORBS name because of bad karma) but it hasn't happened.
Out of curiosity, has anyone other than the OP and one other gentlemen on the 4th had a serious issue? Do we know whether the issues from the 4th have been resolved? I'm wondering whether this is a chronic issue, or if folks are just extrapolating from one complaint. I looked back through the archives for the last year and the only other SORBS mentions were in July and August of last year. -- chort
On Mon, Apr 09, 2012 at 09:50:00AM -0700, Brian Keefer wrote:
On Apr 7, 2012, at 4:41 PM, TR Shaw wrote:
As for SORBS, most competent mail admins dropped its use a long time ago. I thought when Proofpoint took it over things would change (I actually thought they would dump the SORBS name because of bad karma) but it hasn't happened.
Out of curiosity, has anyone other than the OP and one other gentlemen on the 4th had a serious issue? Do we know whether the issues from the 4th have been resolved? I'm wondering whether this is a chronic issue, or if folks are just extrapolating from one complaint.
I looked back through the archives for the last year and the only other SORBS mentions were in July and August of last year.
I last worked at an ISP back in 2006, so this may not be relevant today. I do remember however relying pretty much exclusively on Spamhaus. Originally used SORBS too but found they were overly aggressive on what they'd add to their RBL. Maybe great if you're an individual user, but not so great to be blocking all of yahoo/gmail, etc as an ISP. Don't think they were as frustrating to deal with as Spamcop though :) Ray
On 04/09/12 09:50 -0700, Brian Keefer wrote:
On Apr 7, 2012, at 4:41 PM, TR Shaw wrote:
As for SORBS, most competent mail admins dropped its use a long time ago. I thought when Proofpoint took it over things would change (I actually thought they would dump the SORBS name because of bad karma) but it hasn't happened.
Out of curiosity, has anyone other than the OP and one other gentlemen on the 4th had a serious issue? Do we know whether the issues from the 4th have been resolved? I'm wondering whether this is a chronic issue, or if folks are just extrapolating from one complaint.
I looked back through the archives for the last year and the only other SORBS mentions were in July and August of last year.
I've had nothing but sore issues with SORBS and getting removed from whatever black list was getting us blocked by participating mail systems. Our ARIN allocation is: 67.217.144.0/20 and SORBS had us listed within a larger black listed range, like the containing /12. It took us weeks to be removed from that range (or to have an exception added). This was probably a couple of years ago, or early last year. -- Dan White
Our ARIN allocation is:
67.217.144.0/20
and SORBS had us listed within a larger black listed range, like the containing /12. It took us weeks to be removed from that range (or to have an exception added). This was probably a couple of years ago, or early last year.
Our experience with their DUHL was very similar, and around the same time. My post to NANOG about it is here: http://mailman.nanog.org/pipermail/nanog/2011-June/037568.html Despite the only public reply being utterly unhelpful, the post resulted in human contact from SORBs and an eventual resolution of the issue. I have observed this pattern repeated several times on-list since then (and several times prior to my post), so it would seem that posting to NANOG is (or, at that time, was) part of their delisting process. Nathan Eisenberg
Generally when faced with SORBS related blocking, I have found it far more effective to contact the receiving side and show them the ample Google history about SORBS and the effect it has on their ability to receive email their customers/employees have requested, and have them either change their email policies, or their executives change their email admins. I'm honestly amazed these days every time I run into someone still blocking based on SORBS, or even giving a non insignificant point score as such. -Blake
drop condition = ${if isip4{$sender_host_address}} message = blocked because $sender_host_address is \ in blacklist at $dnslist_domain: $dnslist_text !dnslists = list.dnswl.org dnslists = dialups.mail-abuse.org \ : rbl-plus.mail-abuse.org \ : dnsbl.sorbs.net \ : zen.spamhaus.org logwrite = REJECT because $sender_host_address listed in $dnslist_domain works pretty well for me. looking forward to a bit of ipv6 prophylaxis randy
On Tue, 10 Apr 2012, Randy Bush wrote:
drop condition = ${if isip4{$sender_host_address}} message = blocked because $sender_host_address is \ in blacklist at $dnslist_domain: $dnslist_text !dnslists = list.dnswl.org dnslists = dialups.mail-abuse.org \ : rbl-plus.mail-abuse.org \ : dnsbl.sorbs.net \ : zen.spamhaus.org logwrite = REJECT because $sender_host_address listed in $dnslist_domain
works pretty well for me. looking forward to a bit of ipv6 prophylaxis
If you were to move dialups.mail-abuse.org below zen.spamhaus.org (assuming these are checked in the order they're entered in the config), I'm curious if dialups.mail-abuse.org would block anything. If it did, I'd be curious if those were FPs. :) ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
dnslists = dialups.mail-abuse.org \ : rbl-plus.mail-abuse.org \
Are you paying Trend for access to these?
yes, i have an arrangement
I used to pay (not very much) but realized several years ago that after using the Spamhaus lists, MAPS didn't catch anything useful. Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly
i have not tested to see who catches what. not really into spam research. just trying to reduce it for a server. randy
On 13 Apr 2012 22:01:14 -0000, "John Levine" said:
dnslists = dialups.mail-abuse.org \ : rbl-plus.mail-abuse.org \
Are you paying Trend for access to these? If not, you're not getting any answers from them and they're not blocking anything.
Do they return a canned answer that says "don't block", or do you get to wait for a DNS timeout?
Are you paying Trend for access to these? If not, you're not getting any answers from them and they're not blocking anything.
Do they return a canned answer that says "don't block", or do you get to wait for a DNS timeout?
Is there some reason you're asking random people rather than spending the 30 seconds needed to find out for yourself? R's, John
On Apr 7, 2012, at 19:41 , TR Shaw wrote:
As for Yahoo, the problem will probably go away on its own over time. The problem with companies that are in questionable/bad financial shape is that they defund many activities that do not seem important but actually are. These, such as abuse handling, will actually cause them to increase their spiral down by causing more customers away.
For the 3 months ending 2011-12-31 (last quarter available), Yahoo!'s revenue was US$1.3B, with a net income of nearly US$300M - for the _quarter_. I wish I were in such "questionable/bad financial shape". Before anyone pounces, yes, I know they're not growing. The results above up slightly from Q3 2011, although down slightly (~5%) from Q4 2010. But they still make more revenue & profit than 99.mumble% of the companies represented on this list. And they have more than enough to do abuse correctly. Perhaps more importantly, I seriously doubt Yahoo! mail is going away any time soon. -- TTFN, patrick
On Fri, 6 Apr 2012, Patrick W. Gilmore wrote:
Ever wonder why it takes time for DNSbl's to process removals, sometimes very long periods? Well, someone's gotta pay for that time the removal person does it (and I have yet to see a dime of compensation for the time I spend).
No, they don't. Many DNSBLs use self-service tools. Someone has to write the tool, but the rest is automated. Total cost is power & space, which is frequently donated (I have personally donated some myself to DNSBLs I thought were well run).
This depends on the DNSBL, the type of listing, and that DNSBL's policies. Some DNSBLs, some listings, automated removal is possible and appropriate. Sometimes it's not, and a human is needed to make the decision as to whether a delisting request should be granted or refused. Even when there is a path for automated removals via a web form, not everyone will find or use that path. ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On Wed, Apr 04, 2012 at 01:55:46PM -0700, Landon Stewart wrote:
On 4 April 2012 12:53, Chris Conn <cconn@b2b2c.ca> wrote:
Hello,
Is anyone from SORBS still listening? We have a few IP addresses here and there that are listed, one in particular that has been for a spam incident from over a year ago. The "last spam" date is 03/05/2011 according to their lookup tools.
We don't have access to their Net Manager even if our ARIN POC corresponds to the account on their system we opened a while ago. We use their ISP feedback form and never get any responses back.
Is SORBS still relevant and functional?
I've been trying to login to their 'support' interface for a while now. Emails from them for creating a new account or trying to recover a password for an existing account don't actually come to me. I actually wrote Girish from the company that purchased SORBS (Proofpoint) about it (also CC'd here) and I have had no reply whatsoever either.
I think we should all just NULL ROUTE all of their IP space on our borders to get their attention.
By a happy coincidence, I got mail today from Scott Greco of Proofpoint, asking if we could get together to discuss their products. I've replied to that with a summary of this thread, and am Cc:ing him on this mail, as well. Maybe we can get their attention, though past experience with SORBS does not exactly imbue me with confidence. -- Mike Andrews, W5EGO mikea@mikea.ath.cx Tired old sysadmin
Hi, We had an issue with one of our old subnets which was used as a pool for dynamic dial-up in the past, which we now use for virtual hosting. It took a few me a few hours but I was able to get it removed from the DUHL list. ( And a few walk around the block to calm me down after dealing with their robot =D ). As for being removed from their SPAM RBL that might be another story.. Actually knowing Chris, and his outfit, that 18k request seems unwarranted :( As for SORBS, they have a ticket system at http://support.sorbs.net/ which use the same username/password as https://www.us.sorbs.net. You can follow up there with your ticket #, if their robot is being a bit too fascist. ( ecarbonel was the guy that help us in our case ) PS: The ticketing system is not that fast, so be patient. /wave Chris ----- Alain Hebert ahebert@pubnix.net PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443 On 04/04/12 16:55, Landon Stewart wrote:
On 4 April 2012 12:53, Chris Conn<cconn@b2b2c.ca> wrote:
Hello,
Is anyone from SORBS still listening? We have a few IP addresses here and there that are listed, one in particular that has been for a spam incident from over a year ago. The "last spam" date is 03/05/2011 according to their lookup tools.
We don't have access to their Net Manager even if our ARIN POC corresponds to the account on their system we opened a while ago. We use their ISP feedback form and never get any responses back.
Is SORBS still relevant and functional?
I've been trying to login to their 'support' interface for a while now. Emails from them for creating a new account or trying to recover a password for an existing account don't actually come to me. I actually wrote Girish from the company that purchased SORBS (Proofpoint) about it (also CC'd here) and I have had no reply whatsoever either.
I think we should all just NULL ROUTE all of their IP space on our borders to get their attention.
Regards, Landon
On 4 April 2012 14:27, Alain Hebert <ahebert@pubnix.net> wrote:
As for SORBS, they have a ticket system at http://support.sorbs.net/which use the same username/password as https://www.us.sorbs.net. You can follow up there with your ticket #, if their robot is being a bit too fascist. ( ecarbonel was the guy that help us in our case )
Yeah that's my main complaint right now is that we can't get into their ticket system *or* register a new account for our AS. The new account registration email never gets received for confirmation. The account we used to use doesn't work despite it being somewhere around 7 years old.
PS: The ticketing system is not that fast, so be patient.
It's better than it was a few months ago I must say. It was almost absolutely unusably slow the last time I was in there probably late last year some time. --- Landon Stewart <lstewart@superb.net <mailto"LStewart@Superb.Net>> Sr. Administrator Systems Engineering Superb Internet Corp - 888-354-6128 x 4199 Web hosting and more "Ahead of the Rest": www.superb.net
Some of the IP's I manage got blacklisted and its true they were spamming and Sorbs had a very valid reason for blacklisting them. I got this response response from sorbs after resolving the problem amicably. Sorbs responded well on time. *Your request appear to have been resolved. If you have any further questions or concerns, please respond to this message. Please note: If your IP address has been delisted (marked as 'Inactive'), it will take up to 2 hours to get from the database to all the SORBS DNS servers. Changes to the database are exported to the DNS zone files periodically, not immediately after every change. Furthermore, after the updated database contents have been exported to the DNS zone files, it will then take up to 48 hours for the outdated DNS information to be removed from DNS caches around the world - none of these are in SORBS' control. Please do not reply to this call with problems not related to this ticket or your request will be ignored. * *On Wed, Apr 4, 2012 at 10:53 PM, Chris Conn <cconn@b2b2c.ca> wrote: *
*Hello,
Is anyone from SORBS still listening? We have a few IP addresses here and there that are listed, one in particular that has been for a spam incident from over a year ago. The "last spam" date is 03/05/2011 according to their lookup tools.* *
We don't have access to their Net Manager even if our ARIN POC corresponds to the account on their system we opened a while ago. We use their ISP feedback form and never get any responses back.* *
Is SORBS still relevant and functional?* *
Sincerely,*
Chris Conn B2B2C.ca
-- Samson Oduor
Now, if we could only teach Senderbase that if their customers receive 'questionable' smtp traffic from 1 IP address in a /24 it doesn't mean that all IP addresses in that /24 are malicious we'd really be living it up in 2012. -----Original Message----- From: Sam Oduor [mailto:sam.oduor@gmail.com] Sent: Thursday, April 05, 2012 7:56 AM To: Chris Conn Cc: nanog@nanog.org Subject: Re: SORBS?! Some of the IP's I manage got blacklisted and its true they were spamming and Sorbs had a very valid reason for blacklisting them. I got this response response from sorbs after resolving the problem amicably. Sorbs responded well on time. *Your request appear to have been resolved. If you have any further questions or concerns, please respond to this message. Please note: If your IP address has been delisted (marked as 'Inactive'), it will take up to 2 hours to get from the database to all the SORBS DNS servers. Changes to the database are exported to the DNS zone files periodically, not immediately after every change. Furthermore, after the updated database contents have been exported to the DNS zone files, it will then take up to 48 hours for the outdated DNS information to be removed from DNS caches around the world - none of these are in SORBS' control. Please do not reply to this call with problems not related to this ticket or your request will be ignored. * *On Wed, Apr 4, 2012 at 10:53 PM, Chris Conn <cconn@b2b2c.ca> wrote: *
*Hello,
Is anyone from SORBS still listening? We have a few IP addresses here and there that are listed, one in particular that has been for a spam incident from over a year ago. The "last spam" date is 03/05/2011 according to their lookup tools.* *
We don't have access to their Net Manager even if our ARIN POC corresponds to the account on their system we opened a while ago. We use their ISP feedback form and never get any responses back.* *
Is SORBS still relevant and functional?* *
Sincerely,*
Chris Conn B2B2C.ca
-- Samson Oduor
This is often the only way to get peoples attention and get action. Providers dont care about individual /32's and will let them sit around and spew nigerian scams and pill spams without any consequences. But they will care about a /24. -Dan On Thu, 5 Apr 2012, Drew Weaver wrote:
Now, if we could only teach Senderbase that if their customers receive 'questionable' smtp traffic from 1 IP address in a /24 it doesn't mean that all IP addresses in that /24 are malicious we'd really be living it up in 2012.
-----Original Message----- From: Sam Oduor [mailto:sam.oduor@gmail.com] Sent: Thursday, April 05, 2012 7:56 AM To: Chris Conn Cc: nanog@nanog.org Subject: Re: SORBS?!
Some of the IP's I manage got blacklisted and its true they were spamming and Sorbs had a very valid reason for blacklisting them.
I got this response response from sorbs after resolving the problem amicably. Sorbs responded well on time.
*Your request appear to have been resolved. If you have any further questions or concerns, please respond to this message.
Please note:
If your IP address has been delisted (marked as 'Inactive'), it will take up to 2 hours to get from the database to all the SORBS DNS servers. Changes to the database are exported to the DNS zone files periodically, not immediately after every change. Furthermore, after the updated database contents have been exported to the DNS zone files, it will then take up to 48 hours for the outdated DNS information to be removed from DNS caches around the world - none of these are in SORBS' control.
Please do not reply to this call with problems not related to this ticket or your request will be ignored.
* *On Wed, Apr 4, 2012 at 10:53 PM, Chris Conn <cconn@b2b2c.ca> wrote: *
*Hello,
Is anyone from SORBS still listening? We have a few IP addresses here and there that are listed, one in particular that has been for a spam incident from over a year ago. The "last spam" date is 03/05/2011 according to their lookup tools.* *
We don't have access to their Net Manager even if our ARIN POC corresponds to the account on their system we opened a while ago. We use their ISP feedback form and never get any responses back.* *
Is SORBS still relevant and functional?* *
Sincerely,*
Chris Conn B2B2C.ca
-- Samson Oduor
On Thu, 5 Apr 2012, Drew Weaver wrote:
Now, if we could only teach Senderbase that if their customers receive
'questionable' smtp traffic from 1 IP address in a /24 it doesn't mean that all IP addresses in that /24 are malicious we'd really be living it up in 2012.
On 5 April 2012 09:48, <goemon@anime.net> wrote:
This is often the only way to get peoples attention and get action.
Providers dont care about individual /32's and will let them sit around and spew nigerian scams and pill spams without any consequences.
But they will care about a /24.
-Dan
If the purpose of blacklist is to block spam for recipients using that blacklist then a /32 works. If the purpose of a blacklist is to annoy providers then a /24 works. The most reputable and useful blacklists IMHO are Spamhaus and Spamcop - they don't block /24s. Spamhaus sometimes does if your rwhois shows that a large amount of the /24 is owned by the offending party but generally they don't. In my opinion a blacklist is useful when it notifies a provider of a listing, provides the reason for the listing and gives you a way to remove the listing. Spamhaus encourages companies to resolve all the issues while only blocking /32s by showing all the listings under your responsibility and making nice to see that list empty. Pretty simple. Incidentally SORBS usually blocks /24s and, as far as I know, provides no way for you to lookup all listings under a providers responsibility (by AS or otherwise). Incidentally, I have yet to see anything from Proofpoint, SORBS or their support system regarding the access issues we are having to their system. If anyone has another contact at Proofpoint other than Girish I'd appreciate knowing what it is. --- Landon Stewart <lstewart@superb.net <mailto"LStewart@Superb.Net>> Sr. Administrator Systems Engineering Superb Internet Corp - 888-354-6128 x 4199 Web hosting and more "Ahead of the Rest": www.superb.net
On Thu, 5 Apr 2012, Landon Stewart wrote:
If the purpose of blacklist is to block spam for recipients using that blacklist then a /32 works. If the purpose of a blacklist is to annoy providers then a /24 works. The most reputable and useful blacklists IMHO are Spamhaus and Spamcop - they don't block /24s. Spamhaus sometimes does if your rwhois shows that a large amount of the /24 is owned by the offending party but generally they don't.
Spamhaus may not default to doing /24 listings for a /32 spam emitter, but they certainly do list /24s or shorter subnets when they feel it's appropriate. They even do "escalations" to corporate mail servers on rare occasions when a provider appears to be complicit with spammers and ignoring their SBLs. The purpose thing is an interesting question though. Is the purpose of DNSBLs simply to help admins avoid accepting spam from spammers or to attempt to prevent spammers from operating on the internet? For most of the DNSBLs I'm familiar with, I'd say they're trying to do both.
Spamhaus encourages companies to resolve all the issues while only blocking /32s by showing all the listings under your responsibility and making nice to see that list empty. Pretty simple. Incidentally SORBS usually blocks /24s and, as far as I know, provides no way for you to lookup all listings under a providers responsibility (by AS or otherwise).
That's really either not true or an oversimplification. Spamhaus blocks shorter than /32 pretty frequently. You could maybe argue that Spamhaus works harder to avoid innocent collateral damage. Having not used SORBS for many years, I couldn't say if that's true or not. The vast majority of my recent years interactions with SORBS have been trying to get inappropriately listed IPs removed from their DUHL. ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
That's probably a better idea. I moved "into" a /24 ip block that was SWIPed to me that they reported was "dynamic cable/DSL users" (no spam history, mind you). Didn't matter, I couldn't send e-mail. When trying to get it delisted I had a TTL on the zone that was "incompatible" with their standards (for DR failover purposes) and was unwilling to maintain a TTL of how many ever hours they wanted as it didn't fit the company's requirements. I ended up just getting a new IP block from the ISP as they gave up on resolving it too. Kind of a waste, but it worked. I relocated to there instead. 1 year later they updated my ticket and delisted it. On Thu, Apr 5, 2012 at 11:45 AM, Nick Hilliard <nick@foobar.org> wrote:
On 05/04/2012 17:48, goemon@anime.net wrote:
But they will care about a /24.
I'm curious as to why they would want to stop at /24. If you're going to take the shotgun approach, why not blacklist the entire ASN?
Nick
On Thu, Apr 05, 2012 at 06:45:30PM +0100, Nick Hilliard wrote:
On 05/04/2012 17:48, goemon@anime.net wrote:
But they will care about a /24.
I'm curious as to why they would want to stop at /24. If you're going to take the shotgun approach, why not blacklist the entire ASN?
It's a balancing act. Too little collateral damage and the provider hosting the spammer isn't motivated to act. Too much collateral damage, and no one uses your blacklist because using it generates too many user complaints, and then your list doesn't motivate anyone to do anything because there's no real downside to being on the list. Just the right amount of collateral damage, and your list gets widely used, and causes enough pain on the other of the /24 that they clean things up. I'm not arguing for or against any particular amount of collateral damage. Just commenting on the effects of varying amounts of collateral damage. -- Brett
That's just not true, we would much rather be notified of something that a reputation list finds objectionable and take it down ourselves than have Senderbase set a poor reputation on dozens of IaaS customers. -Drew -----Original Message----- From: goemon@anime.net [mailto:goemon@anime.net] Sent: Thursday, April 05, 2012 12:48 PM To: Drew Weaver Cc: 'Sam Oduor'; Chris Conn; nanog@nanog.org Subject: RE: SORBS?! This is often the only way to get peoples attention and get action. Providers dont care about individual /32's and will let them sit around and spew nigerian scams and pill spams without any consequences. But they will care about a /24. -Dan On Thu, 5 Apr 2012, Drew Weaver wrote:
Now, if we could only teach Senderbase that if their customers receive 'questionable' smtp traffic from 1 IP address in a /24 it doesn't mean that all IP addresses in that /24 are malicious we'd really be living it up in 2012.
-----Original Message----- From: Sam Oduor [mailto:sam.oduor@gmail.com] Sent: Thursday, April 05, 2012 7:56 AM To: Chris Conn Cc: nanog@nanog.org Subject: Re: SORBS?!
Some of the IP's I manage got blacklisted and its true they were spamming and Sorbs had a very valid reason for blacklisting them.
I got this response response from sorbs after resolving the problem amicably. Sorbs responded well on time.
*Your request appear to have been resolved. If you have any further questions or concerns, please respond to this message.
Please note:
If your IP address has been delisted (marked as 'Inactive'), it will take up to 2 hours to get from the database to all the SORBS DNS servers. Changes to the database are exported to the DNS zone files periodically, not immediately after every change. Furthermore, after the updated database contents have been exported to the DNS zone files, it will then take up to 48 hours for the outdated DNS information to be removed from DNS caches around the world - none of these are in SORBS' control.
Please do not reply to this call with problems not related to this ticket or your request will be ignored.
* *On Wed, Apr 4, 2012 at 10:53 PM, Chris Conn <cconn@b2b2c.ca> wrote: *
*Hello,
Is anyone from SORBS still listening? We have a few IP addresses here and there that are listed, one in particular that has been for a spam incident from over a year ago. The "last spam" date is 03/05/2011 according to their lookup tools.* *
We don't have access to their Net Manager even if our ARIN POC corresponds to the account on their system we opened a while ago. We use their ISP feedback form and never get any responses back.* *
Is SORBS still relevant and functional?* *
Sincerely,*
Chris Conn B2B2C.ca
-- Samson Oduor
On Fri, 06 Apr 2012 07:31:47 -0400, Drew Weaver said:
That's just not true, we would much rather be notified of something that a reputation list finds objectionable and take it down ourselves than have Senderbase set a poor reputation on dozens of IaaS customers.
If it was industry-wide standard practice that just notifying a provider resulted in something being done, we'd not need things like Senderbase, which is after all basically a list of people who don't take action when notified...
That is again, not true. Senderbase's listings don't correlate to any public information so it's pretty much impossible to pro-actively protect ourselves from having our IPs set to poor. I.e. when Senderbase assigns IPs to poor, those same IPs aren't listed on any RBLs or anything. They operate in a vacuum where there is no visibility into why they do anything. Unlike organizations like Spamhaus where you know exactly why IPs are listed. Thanks, -Drew -----Original Message----- From: Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu] Sent: Friday, April 06, 2012 9:48 AM To: Drew Weaver Cc: 'goemon@anime.net'; nanog@nanog.org Subject: Re: SORBS?! On Fri, 06 Apr 2012 07:31:47 -0400, Drew Weaver said:
That's just not true, we would much rather be notified of something that a reputation list finds objectionable and take it down ourselves than have Senderbase set a poor reputation on dozens of IaaS customers.
If it was industry-wide standard practice that just notifying a provider resulted in something being done, we'd not need things like Senderbase, which is after all basically a list of people who don't take action when notified...
On Fri, 06 Apr 2012 09:55:35 -0400, Drew Weaver said:
That is again, not true.
Senderbase's listings don't correlate to any public information so it's pretty much impossible to pro-actively protect ourselves from having our IPs set to poor.
You missed the point - if it was industry standard practice, reputation lists at Senderbase, Spamhaus, and SORBS would *all 3* be out of business, because the average spammer's lifespan at a provider would be less than the time it takes the average reputation list to put up an entry.
On Fri, Apr 6, 2012 at 8:48 AM, <Valdis.Kletnieks@vt.edu> wrote:
If it was industry-wide standard practice that just notifying a provider resulted in something being done, we'd not need things like Senderbase, which is after all basically a list of people who don't take action when notified...
[snip] Pot calling the kettle black. Before we talk about industry-wide practice about the providers "doing something". We should talk about industry-wide practice for "Black lists" doing something to correct entries, instead of just building up indiscriminate or irresponsibly maintained lists of networks or "scores" of networks that were targetted by a spammer at one time in the past. It's just as bad for a blacklist operator to not respond and "do something" for a network operator legitimately trying to resolve spam problems with their network and clear the listing as it is for a network abuse contact to not respond to a network operator. We should talk about industry-wide practices for how providers should be notified, what providers are actually supposed to do to "authenticate reports", because sometimes the report/notification itself is malicious or false abusive attempt to harass an innocent email user, and what exactly providers are actually expected to do with certain kinds of notification. The informal standard of "just call or send an e-mail to an abuse contact" is poorly specified. The informal standard of "the abuse contact should investigate and take immediate action" is poorly specified. Some of these things that are not specified by RFC should be specified by RFC as best practice. There should be abuse notification and response notification mechanisms other than free form e-mail. -- -JH
Jimmy Hess wrote:
On Fri, Apr 6, 2012 at 8:48 AM, <Valdis.Kletnieks@vt.edu> wrote:
If it was industry-wide standard practice that just notifying a provider resulted in something being done, we'd not need things like Senderbase, which is after all basically a list of people who don't take action when notified...
[snip] Pot calling the kettle black. Before we talk about industry-wide practice about the providers "doing something". We should talk about industry-wide practice for "Black lists" doing something to correct entries, instead of just building up indiscriminate or irresponsibly maintained lists of networks or "scores" of networks that were targetted by a spammer at one time in the past.
Sorry, but blocklists _came_into_existance_ ONLY because of large numbers of providers *ignoring* the problems their networks were causing the rest of the world. The very existance of 'widely used' blocklists is a damning indictment of the entire services provider industry. _Everybody_, including the major blocklist operators, would prefer that blocklists were _not_ needed -- that all providers would simply 'do the right thing', and insure that their users did =not= abuse other people's systems. Were that pipe-dream to come to pass, the major blocklists would *happily* shut down. They are all 'money sinks', operating at a loss, 'for the good of the community as a whole'. Before blocklists. 'policing your own network' was a pure expense item with no return. _Not_ policing one's own users *added* to profitability. There was no 'business incentive' to be a "good neighbor". With the advent of blocklists, providers have an 'economic self interest' justification in remaining out of the major/widely used ones. It is still an expense item, but "not doing anything" costs _more_ in 'lost revenues'. It is a sad comment on the state of affairs that _all_ the major providers have repeatedly demonstrated they simply "cannot be trusted to 'do the right thing'" *without* a loaded gun held to their heads -- but that *is* the reality of today's marketplace. Today, for any of the major spam-based blocklists, a single entry consisting of more than a single address is indiicative of a _failure_ of a provider's self-policing. It is the height of hubris for a provider to 'demand' (or even 'expect') prompt/immediate response from a blocklist, *when* the provider 'demonstrably' couldn't be bothered to act that way themselves. (What's 'sauce for the goose' _is_ sauce for the gander. :) IF the provider had been actively self-policing, the blocklist entry would not have been escalalated to larger than the single offending address. Yes, it would be "nice" if everybody responded promptly; but, in the real world, that simply doesn't happen -- on either side of the fence. I once got an ack about a spam complaint *over*five*months* after sending it. (For 'some strange reason', that provider is no longer in business. Thank goodness!
It's just as bad for a blacklist operator to not respond and "do something" for a network operator legitimately trying to resolve spam problems with their network and clear the listing as it is for a network abuse contact to not respond to a network operator.
This is provably not true. There is no recourse/remedy for an unresponsive network operator. The 'network abuse' ccontinues to flow, _unabated_, from that network. A blocklist, on the other hand, tends to be self-regulating. If it is not responsive to changing conitions, especially the 'cleaning' of formerly 'bad reputation' addresses/blocks, it generates an 'unacceptably high' number -- as determined by it's USERS, not the senders -- of 'false positive' evaluations, *wherepon* increasing numbers of users =stop= using that service. Resulting in an automatic _lessening_ of the impact of being listed on that blocklist. See the APEWS list for a 'textbook' demonstration of this self-regulation in action.
We should talk about industry-wide practices for how providers should be notified, what providers are actually supposed to do to "authenticate reports", because > sometimes the report/notification itself is malicious or false abusive attempt to harass an innocent email user, and what exactly providers are actually expected to do with certain kinds of notification.
The informal standard of "just call or send an e-mail to an abuse contact" is poorly specified. The informal standard of "the abuse contact should investigate and take immediate action" is poorly specified.
Some of these things that are not specified by RFC should be specified by RFC as best practice. There should be abuse notification and response notification mechanisms other than free form e-mail.
It would appear that you are not familiar with RFC 5965.
On Fri, Apr 6, 2012 at 7:31 AM, Drew Weaver <drew.weaver@thenap.com> wrote:
That's just not true, we would much rather be notified of something that a reputation list finds objectionable and take it down ourselves than have Senderbase set a poor reputation on dozens of IaaS customers.
I think the idea is that you're supposed to proactively monitor your systems for abuse and generally make your network inhospitable to spammers, not just reactively move the customer to a new IP address when the unpaid anti-spammers kindly let you know you've been detected. Personally I see SORBS as the canary in the coal mine. Except for the DUHL (which identifies dynamic IPs, not spamming activity) nobody serious relies on SORBS' data. So, it doesn't much hurt when they list you. But, like the canary that dies first if the air turns bad, if you're careful to watch SORBS you know when you're headed for problems which will get you listed by a real RBL. Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
So you're suggesting that hosting companies do what? How many emails or port 25/587 connections a (day, week, hour) makes someone a spammer if there are no objections being lodged at the abuse department? Are we supposed to do DPI on every email that a dedicated server sends out and then decide whether it's spam? My point is if a list has a problem with a /32 they could have the courtesy to contact the ISP/host prior to causing huge problems for a /24 I'm not sure what more can be done than having an abuse department staffed up and checking all published data before accepting a customer. And I'm mostly just complaining about senderbase, because they seem to be the one that really large companies reference. Thanks, -Drew -----Original Message----- From: wherrin@gmail.com [mailto:wherrin@gmail.com] On Behalf Of William Herrin Sent: Friday, April 06, 2012 12:56 PM To: Drew Weaver Cc: nanog@nanog.org Subject: Re: SORBS?! On Fri, Apr 6, 2012 at 7:31 AM, Drew Weaver <drew.weaver@thenap.com> wrote:
That's just not true, we would much rather be notified of something that a reputation list finds objectionable and take it down ourselves than have Senderbase set a poor reputation on dozens of IaaS customers.
I think the idea is that you're supposed to proactively monitor your systems for abuse and generally make your network inhospitable to spammers, not just reactively move the customer to a new IP address when the unpaid anti-spammers kindly let you know you've been detected. Personally I see SORBS as the canary in the coal mine. Except for the DUHL (which identifies dynamic IPs, not spamming activity) nobody serious relies on SORBS' data. So, it doesn't much hurt when they list you. But, like the canary that dies first if the air turns bad, if you're careful to watch SORBS you know when you're headed for problems which will get you listed by a real RBL. Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
On Fri, Apr 6, 2012 at 1:01 PM, Drew Weaver <drew.weaver@thenap.com> wrote:
So you're suggesting that hosting companies do what?
I believe I'm suggesting you use SORBS as your canary in the coal mine and otherwise ignore them. But if you're asking what hosting companies could do to proactively prevent spamming and make their systems inhospitable to spammers, I might start with blocking non-local outbound TCP 25 by default. Then have the customer fill out and sign a form. Spell out your bulk email policies, have the customer specify which of their IPs will originate email and have them send the form to you signed via U.S. Mail. No "proof" or other major hoops, just sign and mail the form. Unless you're *trying* to run a "bulletproof hosting" system, you'll find the customers who intentionally spam would prefer to stay under the radar. Forcing them to "out" themselves by telling you they intend to send mail from every one of their addresses is often enough to encourage their voluntary departure. And it's certainly enough to tell you *which* among your thousands of customers you should watch to make sure they're not spammers. For the non-spamming customers, you've emphasized that running a well secured email server is a challenge which takes more than clicking install.exe. You haven't told them they can't, but you've spelled out "be careful" in big, bold letters.
And I'm mostly just complaining about senderbase, because they seem to be the one that really large companies reference.
Meh. If you catch them while they're still just annoying SORBS, they'll never make it in to senderbase. Canary. Coal mine. Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
participants (39)
-
Alain Hebert
-
Barry Shein
-
Blake Dunlap
-
Brett Frankenberger
-
Brian Keefer
-
Brielle Bruns
-
chris
-
Chris Conn
-
Dan White
-
David Miller
-
Drew Weaver
-
George Herbert
-
goemon@anime.net
-
Hank Nussbacher
-
Jeroen van Aart
-
Jimmy Hess
-
John Levine
-
John R. Levine
-
Jon Lewis
-
Landon Stewart
-
Mark Foster
-
Matt Kelly
-
Matthew Palmer
-
Michael Thomas
-
Mike Andrews
-
Nathan Eisenberg
-
Nick Hilliard
-
Patrick W. Gilmore
-
Paul Graydon
-
PC
-
Randy Bush
-
Ray Van Dolson
-
Rich Kulawiec
-
Robert Bonomi
-
Sam Oduor
-
Suresh Ramasubramanian
-
TR Shaw
-
Valdis.Kletnieks@vt.edu
-
William Herrin