Home page logo
/

basics logo Security Basics mailing list archives

RE: Sorbs.net DNS Blacklist
From: "Dan Denton" <ddenton () PAYLESSOFFICE com>
Date: Mon, 13 Mar 2006 12:11:17 -0600

My will is broken. I disabled NDR's in Exchange and thankfully the
people at Sorbs saw fit to remove me from their blacklist. Thanks to all
of you who responded to my post. You help is greatly appreciated...

-----Original Message-----
From: John Mason Jr [mailto:john.mason.jr () cox net] 
Sent: Monday, March 13, 2006 11:59 AM
To: Dan Denton
Cc: security-basics () securityfocus com
Subject: Re: Sorbs.net DNS Blacklist


Dan Denton wrote:
I've got some updated info since the original posting. I spoke by 
email with a gent at payments () sorbs net, and was told that the reason 
we were blacklisted was that a spammer sent a message from a forged 
username at a particular domain. The email hit an address at our 
server that was no longer in use, and of course a bounce message was 
sent back saying the address doesn't exist.

The "proper" way to deal with this is to reject during the smtp 
conversation, that way your mailserver will not generate the bounce 
message and get stuck in a blacklist.

<http://spamlinks.net/prevent-secure-backscatter.htm>


Evidently, this response is considered spam in and of itself by 
sorbs.net, and that's what got us on the blacklist. Never mind that we

were the ones who got spammed in the first place, and our mail gateway

was only doing what it was supposed to do. I was told that if we 
ceased such "harassment", then we would be removed from the blacklist.


Backscatter is bad, I hope you can find a way to fix your problem The
link explains it better than I can



Symantec, who makes our gateway, has it documented on their website 
that this feature cannot be disabled, and that such responses are 
required by RFC 821. I can see the point. If there's no response to 
the sender of an email who accidentally puts a typo in the email 
address they're sending to, how the heck would they know if their 
email reached the correct party or not? They'd receive no response 
from a real user, and they'd probably wonder why they're being 
ignored. In a business setting, that behavior could lose you money 
real quick.

It is not about getting the NDR but which server should generate it.



John

<snip>


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault