Fwd: FW: SORBs blacklisting Paradise MTAs
Having previously been listed on the SORBS list, I can say from personal experience that trying to get any information from them is like trying to draw blood from a stone. You just give up - there is quite literally nothing you can do. The legal stuff on their site says something like "you are not supposed to block access based on information on this site", yet that is exactly why their site has been created. That's their legal 'get out' to avoid all liability. Their attitude stinks. They are quite happy to cripple your business for days/weeks at a time and their response time after an issue has been resolved is pathetic. Paul -----Original Message----- From: neil gardner [mailto:neil.gardner(a)alliedtelesyn.co.nz] Sent: Wednesday, 1 February 2006 14:12 To: nznog(a)list.waikato.ac.nz Subject: [nznog] SORBs blacklisting Paradise MTAs Hi gents (and gentesses) I reported to Paradise that Sorbs was blacklisting a particular Paradise MTA last night (details below) and their response was that sorbs refuse to whitelist them so there's nothing they can do about it... The further state that "SORBS automatically delist the servers after a 48 hour time period, and mail passing through the once affected mail server should flow as per normal." yet the information pasted below seems to indicate that the particular IP I reported has been on the list since Dec 11th 2005. They're spinning me a line right? The Sorbs record hasn't been updated since Dec 11th! *--- Info from sorbs as of 5 minutes ago *--- Address: 203.96.152.180 Record Created: Sun Dec 11 13:53:04 2005 GMT Record Updated: Sun Dec 11 13:53:04 2005 GMT Additional Information: Received: from linda-1.paradise.net.nz (bm-1a.paradise.net.nz [203.96.152.180]) by vampire.isux.com (Postfix) with ESMTP id 58986B90C; Sun, 11 Dec 2005 13:52:40 +0000 (UTC) Currently active and flagged to be published in DNS *--- end info from sorbs *--- Why would Paradise deliberately avoid resolving this issue when pointed out to them? If anyone from Paradise / Telstraclear would like to jump in and explain why your helpdesker effectively refused to do anything about the situation then I'm all ears. Yes, I did report to Paradise through the appropriate mechanism, then I replied to their automated response, then this morning I phoned to report it and had my number taken (no-one has phoned back) and a few minutes ago I received the reply to the original message saying they can't do anything. Cheers - Neil G Neil Gardner Product Manager Allied Telesyn Research Ltd New Zealand +64 3 339-9509 (ph) +64 3 339-3001 (fax) NOTICE: This message contains privileged and confidential information intended only for the use of the addressee named above. If you are not the intended recipient of this message you are hereby notified that you must not disseminate, copy or take any action in reliance on it. If you have received this message in error please notify Allied Telesyn Research Ltd immediately. Any views expressed in this message are those of the individual sender, except where the sender has the authority to issue and specifically states them to be the views of Allied Telesyn Research. _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
Paul Adshead wrote:
The legal stuff on their site says something like "you are not supposed to block access based on information on this site", yet that is exactly why their site has been created. That's their legal 'get out' to avoid all liability.
Not really. That's perfectly valid. Blacklist sites like SORBS should probably not be used except as one factor in a weighting system such as spamassassin. I know many people do, and sometimes when the spam is flowing like an open sewer, it's very tempting... That doesn't really invalidate SORBS' statement though. Note: I'm not defending SORBS here, I just happen to agree with that particular statement on their website. Regards, Greig McGill
I've been involved in an ongoing attempt to remove 3 particular ranges (equating to a /24) from SORB's DB for nearly 3 months now. Here's what I've found. If you get impatient waiting for them to respond to you (over 3 weeks usually), they put your original query to the back of the queue. When they finally do get to it they make silly excuses why they wont act on your request. This means you have to resubmit the request, waiting a further 3 weeks. (As Tony said, they expect you to screw around with ARP records, TTL's, etc to "prove" that you're legit.) This scenario loops several times until they realise you aren't going to just leave them alone to act out IRL RPG's in their office with their sisters clothes. They eventually indicate that they will process the delisting, so you slump back in your chair in relief, and then realise a week later that they still haven't done jacksh.. Sorbs ARE in bed with Satan (snuggled up next to Spamcop), and it's easier to just contact the admin's of the blocking MTA, and explain why their filtering setup is bad.. at least there's a slight chance they'll listen. Jeremy
ARP? PTR! ..erk *hide* Jeremy Brake wrote:
I've been involved in an ongoing attempt to remove 3 particular ranges (equating to a /24) from SORB's DB for nearly 3 months now. Here's what I've found.
If you get impatient waiting for them to respond to you (over 3 weeks usually), they put your original query to the back of the queue. When they finally do get to it they make silly excuses why they wont act on your request. This means you have to resubmit the request, waiting a further 3 weeks. (As Tony said, they expect you to screw around with ARP records, TTL's, etc to "prove" that you're legit.) This scenario loops several times until they realise you aren't going to just leave them alone to act out IRL RPG's in their office with their sisters clothes. They eventually indicate that they will process the delisting, so you slump back in your chair in relief, and then realise a week later that they still haven't done jacksh..
Sorbs ARE in bed with Satan (snuggled up next to Spamcop), and it's easier to just contact the admin's of the blocking MTA, and explain why their filtering setup is bad.. at least there's a slight chance they'll listen.
Jeremy
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
My experience with SORBS was sorta a mix of the terrible (similar to Jeremy) and the very good. I actually had direct dealings with the guy who ran SORBS. If you are an employee of an ISP who is directly accountable for things that happen on that net - usually the abuse@ person is good - SORBS will usually be very helpful (ok, this is my experience of 2 years ago...) - they gave me access to some of their online back-end tools which let me look up the reasons for a listing (including sample headers) which helped prevent repeats of the same offense cause relisting. I'd encourage ISPs security guys to proactively attempt to contact SORBS and establish a dialogue that isnt necessarily tied to a 'we're blocked and not happy!' message. Its less antagonising for a start. The listings are set up in the DNS with a 48hr TTL and the zone is not refreshed unless another offense occurrs. (So if you're clean for 48 hours the entry gets purged.) If Paradise are listed it means one of their clients sent something which got listed in SORBS, and theres a complaint in the system younger than 48hours. In theory. They wont 'unlist' you by request. If OTOH you happen to get assigned a netblock that was in their Dynamic IP list and start using it for systems that handle mail, thats another story... I do agree that Companies and others for whom email delivery is important, should not be using systems such as SORBS. I personally run their Dynamic IP Blacklist but nothing else.... frankly someone on a Dynamic IP should be relaying through their ISP and not direct to me. I do provide a webform on my site that can be used for people to contact me should there be an accidental blacklisting, of course. And if I start seeing collateral damage, i'll stop using SORBS. So far however it hasnt been an issue, _for me personally_. Mark.
I've been involved in an ongoing attempt to remove 3 particular ranges (equating to a /24) from SORB's DB for nearly 3 months now. Here's what I've found.
*snip*
Mark Foster wrote:
I'd encourage ISPs security guys to proactively attempt to contact SORBS and establish a dialogue that isnt necessarily tied to a 'we're blocked and not happy!' message. Its less antagonising for a start.
This is the best advice in the thread. Arrogant SORBS answers are mainly in response to four reasons: demands for anything, bad attitudes, mentioning legal action of any type, and misunderstandings of the English language. Of course there are exceptions and I am always open to complaints about attitude, they can be addressed directly to me. As for the latter issue, the volunteers come from many countries of the world and their understanding of the English language occasionally results in a response which others feel offends (eg. most Europeans will be blunt and to the point - this offends most Aussies)
The listings are set up in the DNS with a 48hr TTL and the zone is not refreshed unless another offense occurrs. (So if you're clean for 48 hours the entry gets purged.)
Actually this is not right. Listings are created on the reception of spam, they have a 48 hour DNS TTL in most cases. Spam database entries are not automatically delisted for a very long time unless the responsible party for the address contacts SORBS and requests a delisting. SORBS is a volunteer organisation with no contracts to support persons listed so whilst we aim to answer people within 48 hours (and currently the spam DB entries are getting answered within 6 hours) it can take a long time to answer - in the past it has taken as long as 6 weeks (particularly with respect to the DUHL), and it has been as short at 7 minutes. - if anyone wants a support contract of course they can contact us and pay for one, that will guarantee answers and support within what ever SLA is agreed upon.
If Paradise are listed it means one of their clients sent something which got listed in SORBS, and theres a complaint in the system younger than 48hours. In theory. They wont 'unlist' you by request.
If OTOH you happen to get assigned a netblock that was in their Dynamic IP list and start using it for systems that handle mail, thats another story...
...and there are 2 ways to get delisted from the DUHL: 1/ take our advice on PTR setup, which is described in a document that I will be submitting as an RFC as soon as I get around to finishing the last changes ( here if interested: http://www.au.sorbs.net/~matthew/dns-naming-rfc-draft.txt ) - of course this doesn't mean you have to follow it, but it will help you and the rest of the world in determining whether to accept your email (and other) traffic or not. 2/ Have the person who is the RIR PoC contact SORBS with a list of dynamic and static allocations. There will be a conversation by email so if you are not the holder of the email address in the PoC you will not be able to delist. Any organisation coming to SORBS and indicating that a particular netblock is not dynamic and not giving any other information will be viewed initially with suspicion - this is particularly the case when the PoC is a main stream ISP and makes statements like 'we don't have any dynamic allocations'. Further, to the above, we do checkup and any deliberate misinformation will result in SORBS taking a 'best guess' as to the nature of the netblock(s) (as British Telecom found out before Christmas). Check ups include monitoring addresses for connected machines and the OSs and services they run. Obtaining local accounts from said ISP. Monitoring virus and email emanations from each address over period such as a month (statics have the same virus and mail from the same hosts, dynamics tend to wander through most of the netblock)...etc...
I do agree that Companies and others for whom email delivery is important, should not be using systems such as SORBS. I personally run their Dynamic IP Blacklist but nothing else.... frankly someone on a Dynamic IP should be relaying through their ISP and not direct to me.
There are a lot of large organisations using the SORBS DUHL as it is the most researched on data.
I do provide a webform on my site that can be used for people to contact me should there be an accidental blacklisting, of course. And if I start seeing collateral damage, i'll stop using SORBS. So far however it hasnt been an issue, _for me personally_.
..yet more very good advice - and it doesn't just apply to SORBS listings - it applies to all RBL services (including Spamhaus).. At my $dayjob this is one of the first things I put up. Regards, Matthew @ SORBS PS: Delisting requests directly to me and not via the SORBS Support system will generally be ignored - that is not arrogance, that is pure a need to ensure everything is documented in the correct place.
participants (5)
-
Greig McGill -
Jeremy Brake -
Mark Foster -
Matthew Sullivan -
Paul Adshead