Home page logo
/

basics logo Security Basics mailing list archives

RE: Sorbs.net DNS Blacklist
From: "Brad Berson" <brad.berson () bytebrothers org>
Date: Wed, 15 Mar 2006 18:18:47 -0500

I've been reading everyone's statements and claims about SORBS.  This
stuff interests me greatly since I started my own anti-spam crusade a
few years ago, and particularly since the SORBS DNSBL is one of the six
lists I use to check and possibly refuse incoming emails.

First off, SORBS is a tool.  And like any tool, there are correct ways
and faulty ways to use the tool.  If you use a tool wrong you can damage
the device on which you use that tool.  Unfortunately the lines between
correct and faulty can be somewhat fuzzy and to some degree, revolve
around the amount of collateral damage you are willing to sustain.

To that effect, my own use of SORBS involved NOT using the 127.0.0.6
zone, which in my experience causes way too many sporadic false
positives, for whatever reason.  This leaves ten other zones on that
DNSBL which function marvelously for me.  I also had some false
positives from SpamCop but they are fairly predictable, limited mostly
to Yahoo! Groups' mail relays due to Yahoo!'s poor policy regarding list
member subscription methods and how easily their system is abused by
spammers.  Since I haven't yet been spammed through Yahoo! snd since I
and a few of my clients use Yahoo! Groups, I've whitelisted most of
their relays to compensate.

I find SORBS' de-listing policy a little confusing.  In most cases it
appears that a re-test submission and 48 hours of patience is sufficient
and the "donation" is not required.  On the other hand I find it strange
that such donations are to be to a fund regarding a legal case that was
dismissed over three years ago, but a little research shows that this
fund contributed nearly $5000 to OsiruSoft's defense against the whacko
running Pallorium, so I really can't complain.  OsiruSoft (Joe Jared)
was running a DNSBL of its own several years ago and got Pallorium's
panties in a twist when it was discovered that OsiruSoft's DNSBL was
instrumental in much of Pallorium's spam failing to reach its targets.
This case was won by OsiruSoft just a few months ago after dragging on
for YEARS, and Mr. Jared is still thousands of dollars in the red in
spite of contributions.

Which brings me to another bit of ugliness.  Yes, SORBS does not take a
particularly friendly approach to its practice.  Nor did Mr. Jared.
That Mr. Jared was not only very effective but was also a grade-A jerk
about it, resulted in his business being DOS'd into submission.  Jared
soon caved to the relentless attacks and shut down his DNSBL
permanently.  He still participates in NANAE (usenet) but no longer in
any useful manner.  I fear that if the SORBS admin maintains this
attitude that he too will eventually end up as the next target and the
honest Internet community will end up losing another valuable tool in
the fight against spam.

Does the fifty bucks constitute extortion?  It's a fine line they're
riding, and remember that SORBS is subject to the laws in their country
of operation, not necessarily YOUR country.  I don't think it's a good
idea, personally, and feel that eventually it will be just another nail
in SORBS' coffin.  But the key fact here is that the list does not
maintain any information that is not factual and true.  And to give the
dead horse one more unnecessary whack, remember that SORBS is only
information, provided at no charge.  It's up to mail server admins as to
what they shall do with that information.  Since the recipient mail
server admins are under no legal obligation to specifically receive your
email or anyone else's, you can't pursue them legally either.

Finally a note about backscatter.  Since a huge amount of spam is
directed at email addresses that no longer exist or perhaps never
existed, as an email admin it benefits you to set your server not to
accept such delivery attempts.  From an email admin and even a user
perspective the backscatter is a nightmare (last year I had two or three
weeks where I personally was receiving a thousand bounces per day from
AOL addresses that I obviously never emailed).  But the other
consequence of trying to bounce all that traffic is that it wastes more
of your own bandwidth on sending NDRs and could fill up your server's
/badmail directory with all undeliverable NDRs, perhaps to the point of
a full volume and a stopped mail server.

From a security perspective SORBS is a wonderful tool.  It helps block
huge amounts of spam, phishing attempts, email -borne virii, etc.  The
SORBS zone that describes the dynamic netblocks is one of the most
useful since the overwhelming percentage of spam and viruses come
through compromised broadband customers these days.  At the moment I'm
delighted to say I get no reported false positives in spite of using SIX
DNSBLs to screen my incoming messages.  Your milage may vary!

-Brad

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault