"Problem located (not the 127.0.0.1 issue) and is being resolved. More of an update when we locate the originating cause, but it appears the migration from SORBS1 to SORBS2 was to blame for the actual listing problems."

"Problem located. Historical entries were migrated as current (historical is not identical to 'previously delisted' but the effect is the same.)"

Looks like some tweeking to have a weighting on RBL rather than relying on a single RBL, but then the there may be trade off for effectiveness?

Interesting vector for a denial of service though :)

Thanks everyone.

Cheers,

Andre
VFNZ



From: Jasper Bryant-Greene <jasper@metaname.co.nz>
To: Andre Van Niekerk <theflat1@xtra.co.nz>
Cc: nznog@list.waikato.ac.nz
Sent: Fri, 8 October, 2010 10:24:13 AM
Subject: Re: [nznog] SORBS had loopback listed in dnsbl?

On 8/10/2010, at 9:53 AM, Andre Van Niekerk wrote:
> Anyone have an issue yesterday with mail being categorized as spam due to SORBS listing 127.0.0.1 in their DNS BL DB?
> Had a few complaints from internal customers that mail was not getting through, and a cursory inspection of the logs shows SORBS reporting this address as an open relay (I'm not sure if this a common occurence??).

127.0.0.1 has been listed in SORBS since 2008, according to their database lookup tool, although I can't seem to verify that with a DNS lookup.

I guess it maybe makes some sense since if your frontend MTAs (the ones which should be checking incoming connections against DNSBLs) are getting mail from 127.0.0.1 you might want to know about it? I use Spamhaus who seem to have more rigorous policies around what leads to IPs being listed.

Also, I'd suggest that if 127.0.0.1 being listed in SORBS can break your mail system, it might be worth tweaking the configuration so that doesn't happen. In particular, connections from localhost probably shouldn't be subjected to a DNSBL lookup.

Jasper