At 10:31 10/11/2005, Mark Foster wrote:

...

"Your server is not an open relay, but you have a user that is infected with a mass-mailer trojan/malware"

(and finally a copy of some message headers that prove it)

Was this the honest-to-god reason?

Yes, that was a verbatim quote from the message.

I thought that most malware did its own MX lookups and relayed directly? Aka bypassing the SMTP relay provided by infected-parties ISP?

I thought so too, but obviously some don't.

Given the sheer volume of smtp-crud that a lot of people see, it wouldnt suprise me that large blocks get put in sooner rather than later.

In some respects though, SORBS's policy is actually reasonably well thought out. Entries get a TTL of 2 days and if now further 'hits' on the IP are received, the TTL auto-expires and the block comes off. TTL gets renewed each time a further report is received.

The spamcop list auto-removes you after sometime between 12 and 24 hours too, but the problem as I see it is that they rely on unverified user entered "reports" so potentially you could keep getting unfairly listed over and over without any real comeback... Regards, Simon