Security Basics mailing list archives
RE: Sorbs.net DNS Blacklist
From: "Brad Berson" <brad.berson () bytebrothers org>
Date: Wed, 15 Mar 2006 18:18:47 -0500
I've been reading everyone's statements and claims about SORBS. This stuff interests me greatly since I started my own anti-spam crusade a few years ago, and particularly since the SORBS DNSBL is one of the six lists I use to check and possibly refuse incoming emails. First off, SORBS is a tool. And like any tool, there are correct ways and faulty ways to use the tool. If you use a tool wrong you can damage the device on which you use that tool. Unfortunately the lines between correct and faulty can be somewhat fuzzy and to some degree, revolve around the amount of collateral damage you are willing to sustain. To that effect, my own use of SORBS involved NOT using the 127.0.0.6 zone, which in my experience causes way too many sporadic false positives, for whatever reason. This leaves ten other zones on that DNSBL which function marvelously for me. I also had some false positives from SpamCop but they are fairly predictable, limited mostly to Yahoo! Groups' mail relays due to Yahoo!'s poor policy regarding list member subscription methods and how easily their system is abused by spammers. Since I haven't yet been spammed through Yahoo! snd since I and a few of my clients use Yahoo! Groups, I've whitelisted most of their relays to compensate. I find SORBS' de-listing policy a little confusing. In most cases it appears that a re-test submission and 48 hours of patience is sufficient and the "donation" is not required. On the other hand I find it strange that such donations are to be to a fund regarding a legal case that was dismissed over three years ago, but a little research shows that this fund contributed nearly $5000 to OsiruSoft's defense against the whacko running Pallorium, so I really can't complain. OsiruSoft (Joe Jared) was running a DNSBL of its own several years ago and got Pallorium's panties in a twist when it was discovered that OsiruSoft's DNSBL was instrumental in much of Pallorium's spam failing to reach its targets. This case was won by OsiruSoft just a few months ago after dragging on for YEARS, and Mr. Jared is still thousands of dollars in the red in spite of contributions. Which brings me to another bit of ugliness. Yes, SORBS does not take a particularly friendly approach to its practice. Nor did Mr. Jared. That Mr. Jared was not only very effective but was also a grade-A jerk about it, resulted in his business being DOS'd into submission. Jared soon caved to the relentless attacks and shut down his DNSBL permanently. He still participates in NANAE (usenet) but no longer in any useful manner. I fear that if the SORBS admin maintains this attitude that he too will eventually end up as the next target and the honest Internet community will end up losing another valuable tool in the fight against spam. Does the fifty bucks constitute extortion? It's a fine line they're riding, and remember that SORBS is subject to the laws in their country of operation, not necessarily YOUR country. I don't think it's a good idea, personally, and feel that eventually it will be just another nail in SORBS' coffin. But the key fact here is that the list does not maintain any information that is not factual and true. And to give the dead horse one more unnecessary whack, remember that SORBS is only information, provided at no charge. It's up to mail server admins as to what they shall do with that information. Since the recipient mail server admins are under no legal obligation to specifically receive your email or anyone else's, you can't pursue them legally either. Finally a note about backscatter. Since a huge amount of spam is directed at email addresses that no longer exist or perhaps never existed, as an email admin it benefits you to set your server not to accept such delivery attempts. From an email admin and even a user perspective the backscatter is a nightmare (last year I had two or three weeks where I personally was receiving a thousand bounces per day from AOL addresses that I obviously never emailed). But the other consequence of trying to bounce all that traffic is that it wastes more of your own bandwidth on sending NDRs and could fill up your server's /badmail directory with all undeliverable NDRs, perhaps to the point of a full volume and a stopped mail server.
From a security perspective SORBS is a wonderful tool. It helps block
huge amounts of spam, phishing attempts, email -borne virii, etc. The SORBS zone that describes the dynamic netblocks is one of the most useful since the overwhelming percentage of spam and viruses come through compromised broadband customers these days. At the moment I'm delighted to say I get no reported false positives in spite of using SIX DNSBLs to screen my incoming messages. Your milage may vary! -Brad --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- RE: Sorbs.net DNS Blacklist, (continued)
- RE: Sorbs.net DNS Blacklist Dan Tesch (Mar 13)
- Re: Sorbs.net DNS Blacklist John Mason Jr (Mar 13)
- Re: Sorbs.net DNS Blacklist Devdas Bhagat (Mar 13)
- Re: Sorbs.net DNS Blacklist jfvanmeter (Mar 10)
- RE: Sorbs.net DNS Blacklist Beilin Zhang (Mar 10)
- RE: Sorbs.net DNS Blacklist Joseph (Mar 13)
- RE: Sorbs.net DNS Blacklist Dan Denton (Mar 13)
- RE: Sorbs.net DNS Blacklist Jason Williams (Mar 14)
- Re: Sorbs.net DNS Blacklist Devdas Bhagat (Mar 15)
- Re: RE: Sorbs.net DNS Blacklist souldream (Mar 15)
- RE: Sorbs.net DNS Blacklist Brad Berson (Mar 16)
- Re: Sorbs.net DNS Blacklist Cloy Tobola (Mar 21)
- RE: Sorbs.net DNS Blacklist Jim Serino (Mar 21)
- Re: Sorbs.net DNS Blacklist Devdas Bhagat (Mar 24)