Re: SORBS Insanity

[Matthew Sullivan <matthew () sorbs net>]

In case you didn't know, SORBS admins do populate this list from time to 
time, so I might be worth going through a few things...

Jeremy Kister wrote:

> I became aware that just about all of 64.115.0.0/16, a network that I (among
> others) run, has been listed as "dynamic ip space" in sorbs as of April 2nd.
> On
> April 6th I sent my first email (via web-form) to sorbs telling them they
> were mistaken.
What address did you use?  What tracking number did you get?

>  Finding no documentation on how they deem networks "dynamic" or
> "static" I changed my rDNS scheme from ppp-64-115-x-x to 64-115-x-x  Note
> to all: "ppp" in no way signifies dial-up; we run ppp over almost every
> circuit we have -- from dialup to OC12, to Ethernet and ATM.
>
> I also stated how all of our network was scanned twice a day for open-relay
> mail servers.  Being a bigish ISP, we are _huge_ on our abuse policies, and
> our abuse bucket [usually] has only memories of tumbleweed blowing by.
>
> On april 10th I again wrote, only to be ignored further.
Again, tracking number please?  Address you used?

The reason I am asking is I only fine one ticket from the address you 
posted from.

> Yesterday, April 13th, One of my customers opened a trouble ticket stating
> that he had successfully received a response from SORBS, and had forwarded
> me the conversation.  I sent an email to duhl () sorbs net (the author of the
> email) quoting what they had written one of my customers.  They said to my
> customer that I had to either provide custom reverse DNS for each customer
> who was not dynamic, or I had to provide sorbs with POCs for all my
> non-dynamic customers.  I stated how this was absurd, and that there was
> already a functioning medium for this task -- rwhois.
>
> In this same email, I also stated:
> 1.  exactly which 64.115 networks were dynamic
I gather then you are not actually 'abuse () broadviewnet net' then (see 
below)...

> 2.  that to prevent further hysteria, I had changed the reverse dns from
>      ppp-64-115-x-x to static-64-115-x-x and dynamic-64-115-x-x,
>      respectively.
And yet the mail I received from 'abuse () broadviewnet net' - which I 
found oddly worded for a professional - stated there are no dynamic 
blocks in the entire /16....  Which is it?

> 3.  their blindness was very unprofessional, deeming SORBS a Worthless
>      Project ran by Ignorant Half-Wits
..who are unpaid, for both answering tickets, and the time in dealing 
with obnoxious people who threaten various amounts of legal action... 
not to mention the cost involved in running the services to both the 
owner and those who generously give resourses to the SORBS project....

Actually the instructions I have given to those answering the DUHL 
tickets are that if there is no rDNS or rDNS that may indicate the 
address space is not static then they are to accept requests only from 
the confirmed RIR PoC... This is specifically because every man and his 
dog come to us explaining how their part of the net is not dynamic.

> As of this date I have not received a response from anyone at sorbs, and do
> not expect one.   Our support crew is overwhelmed with upset customers who
> cant send email to their associates.  Our only response to them is that we
> have tried to resolve the issue, but could not, and that the remote ISP
> should stop using sorbs.
Funny the person logging the first ticket also said that...

> I am upset that they blindly blacklisted most of 64.115.0.0/16 because some
> of the reverse dns was generic.  64.115.47.0/25, for example, hasnt very
> much generic rDNS at all, but was blacklisted just the same.
It was blacklisted because of a tipoff from someone from who is widely 
known at trusted.  I checked up on the tip, and in this case I either 
didn't look close enough, or your rDNS has changed significantly for the 
network....

> I hope all stop using SORBS.  I especially hope Mr. Vixie reconsiders his
> helpfulness to such a harmful organization.
>  
Now I'm not going to reveal details of the actual comments in the 
tickets unless you grant your permission and indicate which ticket(s) 
are yours...

I will say though as there are no indications of any dynamic ranges in 
any of the tickets logged, I spent all day yesturday going through the 
rDNS logs for the entire /16 (yes we do go through the entire dump), and 
had I not spent until the early hours of the morning this morning 
tracking a DoS attack, and then most fo the day in my dayjob I would 
have already have fixed this... but I guess by your post that doesn't 
matter.

Yours

Matthew