Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Hackers Blamed For MessageLabs Spam Blunder

timothy posted more than 3 years ago | from the won't-happen-again dept.

Security 44

littlekorea writes "MessageLabs claims to have discovered that the systems of one of its customers were hacked by spammers after an entire block of MessageLabs IP addresses was blocked by antispam service SORBS. Customers of the managed email service had problems with outbound mail last week after MessageLabs' IP addresses were included in SORBS' block list. The Symantec-owned service provider has assured customers it has systems in place to prevent such incidents from happening again."

cancel ×

44 comments

Sorry! There are no comments related to the filter you selected.

Firefox 4 (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#34205236)

This is off topic, but Firefox 4 is so fast the news about it hasn't caught up to it yet and returns an 404 error.

Also it let's me post first.

Please don't use SORBS blocklist (5, Interesting)

Anonymous Coward | more than 3 years ago | (#34205246)

Sorbs is a really poor block list which I don't think anyone should use.

I found that my mail server is listed in their list, because 3 years ago the same IP range was allocated to a dynamic IP range.

Even though it is now a static server address and the whois IP allocation records were long ago updated, and even has the reverse dns saying "static" in the format that sorbs demand, because the ENTIRE /24 network where my server lives doesn't confirm to their demanded reverse DNS standard, they refuse to delist it.

Their web service is a total nightmare and even their auto responder takes two weeks. As someone who has been working with mail servers on the internet since 1992, I would say please for the love of god, do not use sorbs as an email blocking list.

Check out Wikipedia for more info on them, they also solicit payments for some delisting which seems completely unethical.

Re:Please don't use SORBS blocklist (2, Informative)

arivanov (12034) | more than 3 years ago | (#34205308)

Seconded. I tried using them a few years back and balked at the appalling quality of the data.

In any case, using greylisting, some basic header sanity checking and spamhaus kills 99%+ of the spam so there is really no technical need to use such an aggressive list.

Please don't use ANY blacklist (5, Informative)

Anonymous Coward | more than 3 years ago | (#34205318)

In addition to the complaints specific to SORBS, here [acme.com] 's what the acme.com owner (who, more than half a decade ago, received an the order of a million spam mails per day) has to say about DNS-RBLs in his write-up on how to efficiently and effectively filter spam:

DNS-RBLs - Domain Name System Realtime Black Lists. In theory the idea is fine. You have a set of sites that you blacklist, and you want to let other folks use the same list so you distribute it using DNS, which is a nice efficient de-centralized database. What's not to like?

Well, I don't know why, but in practice every single DNS-RBL eventually comes under the control of power-hungry weenies. They start listing sites unreliably, and if you complain you find yourself listed. And there's usually no way to get off the list.

A lot of people tell me I'm wrong about this. They say that certain DNS-RBLs are ok, with objective criteria for inclusion and simple procedures for getting off the list. The thing is, they give conflicting recommendations for which lists are good and which are bad. Some of these folks recommend lists which I know from personal experience are bad.

This problem is really inherent in the way DNS-RBLs are set up. You cede control of your mail system to a third party, with no real possibility of checking how they are doing. The people running the lists get overwhelmed with bogus feedback from spammers and/or idiots, to the point where they assume all their mail about the lists is from spammers and/or idiots.

If the lists you use have not yet descended into corruption and chaos, consider yourself temporarily lucky.

Do not use DNS-RBLs.

As you can see, he addresses the specific problems with SORBS ("in practice every single DNS-RBL eventually comes under the control of power-hungry weenies. They start listing sites unreliably, and if you complain you find yourself listed. And there's usually no way to get off the list"), gives a reason for why this is ("the people running the lists get overwhelmed with bogus feedback from spammers and/or idiots, to the point where they assume all their mail about the lists is from spammers and/or idiots"), draws his conclusions ("this problem is really inherent in the way DNS-RBLs are set up. You cede control of your mail system to a third party, with no real possibility of checking how they are doing") and arrives at a recommendation ("do not use DNS-RBLs").

Re:Please don't use ANY blacklist (3, Insightful)

McD (209994) | more than 3 years ago | (#34205748)

and arrives at a recommendation ("do not use DNS-RBLs").

This entire analysis is spot on, but the reason blacklists are so popular is that they tend to work - you use one, the spam goes down, your users are happy. (Right up to the point where they discover a false positive that the RBL is blocking them from getting, anyway.)

In light of that, "do not use DNS-RBLs" is kind of throwing the baby out with the bathwater. The obvious middle ground, of course, is "don't use DNS-RBLs to make a binary accept/reject decision." Instead, use them as a weighted input to an overall spam score, such as is done by SpamAssassin or policyd-weight.

But then, that's generally more work. :-)

Re:Please don't use ANY blacklist (1)

gujo-odori (473191) | more than 3 years ago | (#34211852)

That's too absolute. There are certainly reliable RBLs operated by individuals. It is also certainly the case that any mail admin can, at any time, cease using an RBL that has become unreliable.

There are also reputation-based blocklists (don't know if any are free or not) that both remove the possibility of human capriciousness from the equation and allow more finely-grained judgments. A traditional RBL is a binary decision: accept or block. With a reputation-based RBL, you can say "OK, I will not accept any mail from a host with a reputation less than X, I will quarantine mail from a host with a reputation between X and Y, and I will deliver mail from a host with a reputation greater than Y" (for example; this is obviously simplistic and not meant as a real-world config except for the part about rejecting at X).

Indeed, without the use of RBLs, it would be intolerably costly to do content filtering on all messages, even for the fastest filtering systems. Blocking based on IP is an indispensable tool.

Full disclosure: I work for an email security vendor (but not MessageLabs).

Re:Please don't use SORBS blocklist (1)

robothand (1151773) | more than 3 years ago | (#34205504)

>Sorbs is a really poor block list which I don't think anyone should use Could not agree more! Anyone that uses SORBS as a blacklist deserves not to receive any email. There are tons of good lists to use - why use one that tries to extort money from people and is completely unresponsive to any form of enagegement. SORBS is a public nuisance in my opinion. I also have to question how many people were really dropping email from the messagelabs servers - hardly anyone uses SORBS anymore due to their complete lack of credibility. My adive to anyone being listed by SORBS is to simply ignore them. And mail server admins - do not use SORBS. And by the way this is no "blunder" by Messagelabs - this kind of thing goes on all the time - anti spam systems are by no means perfect.

Re:Please don't use SORBS blocklist (0)

Anonymous Coward | more than 3 years ago | (#34205518)

We had these issues recently. We're with MessageLabs, but I thought the incident was isolated to us and didn't have anything to do with MessageLabs IPs.

We tried disabling our firewall temporarily while diagnosing some TCP reset issues. Usually we only allow SMTP traffic from MessageLabs servers, but since our server isn't configured as an open relay then disabling the firewall shouldn't be a big deal.

Unfortunately I tried running an open relay test on our server and found out that even though our server is by definition not functioning as an open relay, it still failed a couple of tests they had (something like 2/19 tests). Those tests were for attempts at sending mail to our internal domain, which doesn't count as a relay from the definitions I've seen, so I think it's strange to count that as a relay. Can anyone provide more info on that?

Re:Please don't use SORBS blocklist (0)

Anonymous Coward | more than 3 years ago | (#34205760)

Any RBL which demands some form of compensation, monetary or otherwise to de-list you should be avoided at all costs.
Even IF they list your servers, you simply tell the people you run across that uses them to switch over to another service which does not have these policies in place.
I typically have to swap over 2-3 sites a month from using the SORBS service due to this. The policy is simple, we do not pay, ever.

Re:Please don't use SORBS blocklist (1)

6ULDV8 (226100) | more than 3 years ago | (#34205762)

SORBS does create problems, but in this case, they got it right. ML was passing spam through their network. SORBS identified it and blacklisted them. There are plenty of reasons to speak badly of SORBS, but this isn't one.

Re:Please don't use SORBS blocklist (1)

mail2345 (1201389) | more than 3 years ago | (#34207072)

It's less of being added to a blocklist, and more of being unable to get removed without paying and going though the other hoops.

Re:Please don't use SORBS blocklist (1)

MightyMartian (840721) | more than 3 years ago | (#34206624)

Yup. Blacklists are questionable at the best of times, and SORBS has long been one of the worst.

Re:Please don't use SORBS blocklist (1)

Megor1 (621918) | more than 3 years ago | (#34207660)

Sorbs will add you to their list for sending a single email, not a spam a single email. If one of your users typos the domain and it goes to one of the zillion spam trap domains they use you get added.

SORBS doesn't have a fine any more.... (0)

Anonymous Coward | more than 3 years ago | (#34208984)

SORBS Doesn't charge for delisting any more (at all)

http://www.sorbs.net/faq/spamdb.shtml

Re:Please don't use SORBS blocklist (1)

Linuxmagic (1115793) | more than 3 years ago | (#34213348)

Agressive or not, agree with them or not, MessageLabs has definitely suffered from a major outbreak over the last few weeks. However, so have several other well known Spam Filtering technologies..

Love that Symantec owns the hosting (1)

erroneus (253617) | more than 3 years ago | (#34205276)

Of all the companies that should have been most aware of the threat of spammers and hackers, it should be one of the ones who profit the most from selling anti- and counter-measures against their activities. They are the "experts" on the subject aren't they?

Re:Love that Symantec owns the hosting (1)

arivanov (12034) | more than 3 years ago | (#34205338)

You are missing the point of marketing through fear and the difference between marketing through fear and marketing on technical spec and merit.

The first is easy, the second requires the spec and the merit to be there in the first place. Judging by the way this incident has proceeded it is not there. It takes about 5 lines of code in perl using Net::DNS to walk your address blocks and check them vs the known blacklists. It takes about 5 lines of code in perl to parse a log and pick up a 5xx SMTP bounce. It takes about a page of code to plot the bounces vs your address blocks and this plot is one of the _ESSENTIAL_ plots in a managed mail service and this change in the bounce distribution should have caused an immediate red allert. It takes 5-10 lines of perl (with a suitable framework in the back) to take an ip block from or put it back into an MX-pool service if of course you have the competence to build your service this way in the first place so it is maintainable and scalable without having to have a whole NOC on a warmer and wetter subcontinent to handle upgrades. It takes...

That is all of course if the underlying competence is there in the first place. There has to be someone moderately competent to understand the underlying subject matter _AND_ the change process to write those few lines of code ya know...

It is of course easier to blame it all on "hackers"...

Scum of the earth? Or from Hell? (1)

thijsh (910751) | more than 3 years ago | (#34205282)

Sullivan said the email was "quite patently designed to mislead users of SORBS into believing that MessageLabs are the good guys and SORBS are the scum of the earth."

In my experience they are a bunch of bastards, the BOFH probably leads the SORBS team... :-)
Then again, we need them to be tough and love it when they give spammers crap. In a way they are the lone bad cowboys from the internet, fighting injustice in their own way and keeping it a little safer, but don't expect them to be polite or helpful. And when you are standing near a bad guy with a black hat when the cowboys show up, expect to be shot down in a heartbeat western style... real cowboys don't mess around discriminating bad guys from not so bad guys.

Re:Scum of the earth? Or from Hell? (1)

Spazmania (174582) | more than 3 years ago | (#34205872)

Ditto. I have yet to see SORBS receive criticism they haven't earned.

This all sounds backwards (3, Informative)

camperslo (704715) | more than 3 years ago | (#34205292)

Doesn't it seem much more likely that the hack is what lead to the spam being sent, THEN the site got blocked as a result?

Re:This all sounds backwards (2, Interesting)

IBBoard (1128019) | more than 3 years ago | (#34205354)

I think that's just bad phrasing. My reading is that they only found out that the customer had been "hacked" because they were blacklisting (i.e. 'hacking' occurred, blacklisting occurred, awareness of blacklisting occurred, and finally awareness of 'hacking' occurred).

Re:This all sounds backwards (1)

CRC'99 (96526) | more than 3 years ago | (#34205768)

I think that's just bad phrasing. My reading is that they only found out that the customer had been "hacked" because they were blacklisting (i.e. 'hacking' occurred, blacklisting occurred, awareness of blacklisting occurred, and finally awareness of 'hacking' occurred).

Exactly - and isn't this the whole idea on how this is supposed to work?

Re:This all sounds backwards (1)

IBBoard (1128019) | more than 3 years ago | (#34207200)

How what is supposed to work? I thought the whole idea of MessageLabs was that they were supposed to be "anti-spam" in some way and so should stop the messages before they get flagged as being evil.

Even if they assumed that all activity was legit, it'd still be good to have noticed you had unusual behaviour before you get blacklisted (or at least before people notify you that you've been blacklisted).

Re:This all sounds backwards (4, Insightful)

JeffSh (71237) | more than 3 years ago | (#34205972)

Knowing how Messagelabs works myself, just to refine it, it probably went something like this.

Emailserver1 is setup to relay outbound through Messagelabs all of the email.
Emailserver1 is compromised and used as a mail relay itself
Messagelabs receives spam generated by Emailserver1 and because all outbound email is filtered, they recognize it after a few hundred pieces of mail and begin to throttle/stop connections from the server
A few pieces of the hundred are delivered to destination recipients
SORBS places the entire Messagelabs /24 on their lame block list in response and because they suck as a service take forever to remediate bad blocks

The answer to all this is Messagelabs IP ranges should never end up on SORBS' list because of what they are, an output pool for tens of thousands of people which is maintained by a company with a repuation. The fact SORBS feels it within their power to blacklist Messagelabs IP ranges shows how much power they feel that they have, power derived merely from the fact that some people use them.

This should prove to people who use SORBS why not to use them. It's SORBS fault, not Messagelabs. The whole idea of a list like SORBS is to be a well maintained list of "bad ip's". If they add Messagelabs' /24's to their list, this proves it is not well maintained. The act of sending a small number of spam emails is inherently unpreventable almost by definition, and ML has the infrastructure in place to protect against 99.9999% of it.

Re:This all sounds backwards (1)

gujo-odori (473191) | more than 3 years ago | (#34211880)

Yeah, I worked for an ML competitor a few years ago, and had the same sort of problem with SORBS from time to time (same business/network model as ML, making these incidents somewhat inevitable; outbound spam filtering is WAY harder than inbound filtering). I, too, am sure that's what happened.

I still work in email security, but not for the ML competitor mentioned above.

anon (3, Interesting)

Anonymous Coward | more than 3 years ago | (#34205304)

Having been caught in exactly this situation between these two companies before left me with a very bitter taste in my mouth towards SORBS
SORBS "require" a "donation" ( to a charity ) to get delisted.
Type SORBS and charity onto google and have a peek at what comes back.......
On the SORBS site ( I don't remember exactly where, but I do remember reading it last time I went through this crap ) they say that ( me paraphrasing ) they are probably not allowed to charge a fee for delisting for legal reasons, so the "require" a "donation" instead. Ohh yeah you can choose a SORBS approved charity and jump through hoops to prove your donation OR rather conveniently they have a charity that you can donate to which will place less hoops in your way. Which one you gonna choose considering people are yelling at you that their mail aint getting through?
Do a bit of googling and there are reports of people blacklisted by SORBS being asked to buy hardware for SORBS as the "donation" to get unlisted.
See much info on the SORBS site on what measures they take to prevent and deal with false positives? No? Well that's probably because when they are charging for delisting it's in their intererests to generate as much paying custom as possible.
Seems like a form of extortion to me........

unbreakable (1)

DrSkwid (118965) | more than 3 years ago | (#34205320)

> it has systems in place to prevent such incidents from happening again

care to put a bounty on that ?

extortion by SORBS (5, Informative)

lechiffre5555 (1939278) | more than 3 years ago | (#34205324)

Having been caught in exactly this situation between these two companies before left me with a very bitter taste in my mouth towards SORBS SORBS "require" a "donation" ( to a charity ) to get delisted. Type SORBS and charity onto google and have a peek at what comes back....... On the SORBS site ( I don't remember exactly where, but I do remember reading it last time I went through this crap ) they say that ( me paraphrasing ) they are probably not allowed to charge a fee for delisting for legal reasons, so the "require" a "donation" instead. Ohh yeah you can choose a SORBS approved charity and jump through hoops to prove your donation OR rather conveniently they have a charity that you can donate to which will place less hoops in your way. Which one you gonna choose considering people are yelling at you that their mail aint getting through? Do a bit of googling and there are reports of people blacklisted by SORBS being asked to buy hardware for SORBS as the "donation" to get unlisted. See much info on the SORBS site on what measures they take to prevent and deal with false positives? No? Well that's probably because when they are charging for delisting it's in their intererests to generate as much paying custom as possible. Seems like a form of extortion to me.......

Re:extortion by SORBS (5, Informative)

memyselfandeye (1849868) | more than 3 years ago | (#34205884)

Similar nightmare for a project website started awhile back. We registered with the host, a VERY BIG host I'll add, and suddenly found our assigned IP addresses were all blocked. SORBS said it was the provider's fault, they gleefully hosted spam sites so must be punished. It would sure be nice to have group related e-mail for organizational purposes. Unless our host paid to play, it was game over. No big deal, we moved to an even BIGGER, more expensive, host (currently a publicly traded company with some big 'cloud' options) and yet again found our new IP addresses blocked, oddly though, only after our domain was updated with the new DNS addresses.

It boggled the mind how a brand new, never registered previously before domain for a research project related to a small scientific group studying x-ray deep surface x-ray diffraction could be the root cause of a huge criminal enterprise. One might think SORBS took offense to a previous email relaying certain concerns and blocked the domain out of spite. Fortunately when we relayed those fears SORBS corrected us, and proved with some very convincing records that 2 chemists and a physicist were really responsible for the downfall of humanity, and all it would take is a donation to their legal fund. (Oppenheimer eat your heart out).

The advantage of toiling for a university day and night is access to a rather sophisticated legal department that loves crushing tiny people like Kevin SORBOS playing Hercules. Needless to say, the SORBS legal defense fund suddenly looked like it was going to get a real workout, and magically, an error was found and corrected. We were unblocked.

Let me say it one more time...Nightmere.

My SLASHDOT account was HACKED !! HELP FIND SCUM (-1, Troll)

Anonymous Coward | more than 3 years ago | (#34205458)

My Gmail was hacked thanks to the crappy cloud and its lack of security. Thanks, Google.
So an interesting thing happened to me recently, and it resulted in a bunch of snarky e-mails from my friends. Apparently, my Google account was hacked or, more likely, Google was hacked. I'm sure it was the latter, because Google and its services must be the biggest target since the golden age of targeting Microsoft.

It began with my Gmail account, which I never use except as an emergency system. I probably log into it once a month. But, because Google wants to make its own life easier, it forced me to use my Gmail account for everything I do with Google. Instead of having separate passwords for Google Voice, AdSense, and even Web surfing, Google stupidly made me consolidate all my passwords into the Google Mail password. It's the new rule.

Why? Is this because Google hasn't got enough computing power to keep track of multiple passwords? Or is it because it wants to make life easier for itself and track everything I do, so it can do a better job of analyzing me for advertising delivery? Hmmm, let me think.

Meanwhile, to hell with security.

This, by the way, tells me that Google does not give a crap about security. So, all of a sudden, a slew of people begin to get spam from my Gmail account, and it's pretty well done. I figure it was an inside job at Google or by some pros. The e-mails are addressed from me, but they don't show up in my outbox.. The spam was sent to those in my contact list; the list that was imported by Google somehow and contains people I've mailed at one time or another.

Anyway, the possibilities as to how this was done are limitless. A browser hack, inside job, key-log trojan, who knows? The spam was from some company that linked to some bogus gift card. Luckily, all the people on my contact list knew the e-mail was not from me because it was too cheery, among other reasons. If you ever get a cheery message from me, call the police!

Google, which has no real customer service that I know of, indicates no way of reporting such a scam except on some blog-like forum, so I changed my password to see if the problem would go away. It did, or so I thought.

Then a couple of days ago, the same kind of thing happened with my Google Voice account. Some guy called me complaining about how I had been calling him all day. There was no evidence of this on my phone, and I wasn't carrying the phone on me, so butt-dialing seemed unlikely. I figured it was a test hack of Google Voice. Again, I see no easy mechanism for reporting anything like this to an actual person at Google.

It's like Google thinks: So what if you send out a little spam, or you're calling people for no apparent reason? What's the worse that can happen? Just live with it, chump.

So what's my point? The point is that this is not about Google (well, not completely). It's about the cloud. While the consolidated password forced by Google is a bad enough idea, the fact that the cloud itself is a security nightmare is often overlooked.

The cloud vendors go on and on about how the cloud is more, not less secure. I've only encountered security problems when the cloud was involved. Millions of credit cards are stolen right off "secure" cloud websites every year. I do not see this changing.

And think about this: Everything in this industry consolidates, at one time or another, to just a very few players in any given sector, which means the cloud vendors will probably do the same. All you'll have are about three players. That means the efforts of hackers will be more targeted and more likely to succeed. Insofar as massive data breeches are concerned, we ain't seen nothing yet.

I met a devil woman
She took my heart away
She said, I've had it comin' to me
But I wanted it that way
I say that any love is good lovin'
So I took what I could get mmh, mmh, mmh
She looked at me with them brown eyes

And said, You ain't seen nothin' yet
B-B-B-Baby, you just ain't seen n-n-n-nothin' yet
Here's something that you're never gonna forget
B-B-B-Baby, you just ain't seen n-n-n-nothin' yet
And you're thinkin' you ain't been around, that's right

And now I'm feelin' better
Cause I found out for sure
She took me to her doctor
And he told me of a cure
He said that any love is good love
So I took what I could get
Yes I took what I could get
And then she looked at me with them big brown eyes

And said, You ain't seen nothin' yet
B-B-B-Baby, you just ain't seen n-n-n-nothin' yet
Here's something, here's something that you're never gonna forget, baby
B-B-B-Baby, you know, you know, you know, you just ain't seen nothin' yet
You need an education, got to go to school

Any lovin' is good lovin'
So I took what I could get
Yes I took what I could get
And then, and then, and then she looked at me with them big brown eyes

And said, You ain't seen nothin' yet
Baby, you just ain't seen n-n-n-nothin' yet
Here's something, here's something
Here's a lover you're never gonna forget, baby
B-B-B-Baby, you just ain't seen n-n-n-nothin' yet
You ain't been around
You ain't seen nothin' yet, that's what she told me
She said, I need an education, go to school

I know I ain't seen nothin' yet
I know I ain't seen nothin' yet, mmh, mmh, mmh
I got something for you right now
Feels good, alright, how do you do that
But I ain't seen nothin' yet
But I deserve it one of these days
Woohoo, but I ain't seen nothin' yet
I ain't seen nothin' yet
Yeahyeahyeahyeahyeahyeah
I ain't seen nothin' yet
I'll wait, I'll wait, I'll wait
If you want to show me what I ain't seen, where I ain't been
Lalalalalala
Owowowowowowo

Re:My SLASHDOT account was HACKED !! HELP FIND SCU (1)

theskipper (461997) | more than 3 years ago | (#34205888)

Pro-tip: Starbucks also sells decaf.

Re:My SLASHDOT account was HACKED !! HELP FIND SCU (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#34205948)

I beg your pardon
I never promised you a rose garden
Along with the sunshine
There's got to be a little rain sometimes

Skate to that! Starbuck sells XTAL CRANK METH SPEED? No milk? Mappable is the word! Strike 3! Common is the word.

don't panic...they fixed it (1)

digitaldc (879047) | more than 3 years ago | (#34205464)

....has assured customers it has systems in place to prevent such incidents from happening again...yeah right, that's what they said about Death Star 2." [pwdi.net]

Why did they remove it? (0)

Anonymous Coward | more than 3 years ago | (#34205730)

Considering one of MessageLab's clients is currently sending me spam with no way of opting out, I'm going to be a lone supporter of SORBS :)

Re:Why did they remove it? (1)

secolactico (519805) | more than 3 years ago | (#34206452)

Considering one of MessageLab's clients is currently sending me spam with no way of opting out, I'm going to be a lone supporter of SORBS :)

Hell, yes! I'm gonna go one step further and turn off my mail servers. Good bye spam problem!

Bad article (1)

JeffSh (71237) | more than 3 years ago | (#34205936)

This is a very poorly written article which seems to cast Symantec's Messagelabs in a bad light when infact it should be SORBS.

SORBS is a horrible black list and no one should use it. They are slow to de-list unless you pay an extortion fee. They probably put Messagelabs on their block list at the slightest provocation. I work with Messagelabs frequently and I have seen first hand how Messagelabs throttles connections from IP's and shuts them off automatically when they detect spam. I think the scope of the "spam" problem was likely limited to a couple hundred pieces, at most, more likely even less.

I question the source of the article and whether the writer received some sort of payment to create it to look so good towards SORBS. Now that Messagelabs is owned by Symantec, they may be considered a "big dog" in the industry and prone to these sorts of negative press articles designed to attack at them. I don't feel that this is legitimate.

SORBS should be utterly crushed (0)

Anonymous Coward | more than 3 years ago | (#34207094)

I went through a real pain in the ass experience trying to get some domains delisted from SORBS a few years ago. The one "person"(ahem...) who runs SORBS has waaaayyy too much power in their hands. Also, I can't believe these douchbags who use SORBS to get their blacklists.

We've used Message Labs for years (1)

Gavin Scott (15916) | more than 3 years ago | (#34208178)

I can't think of another internet product or service that has improved my quality of life as much as Message Labs has.

I have not gotten a single email with a virus/trojan attached since we signed up for their service several years ago.

I get maybe up to a dozen spam messages a day (probably half of them semi-legitimate attempts to sell me stuff as opposed to pure broadcast drug spam etc.) but the Message Labs stats show they're deleting hundreds and hundreds of spam messages a day directed at me. I never need to bother obscuring or hiding my primary email address on the net. I use it openly on Usenet and web pages and I'm still almost completely free of spam.

I've never had a false-positive problem.

I can recommend them very highly if you get a lot of spam / virus email and you just want the problem to go away with essentially no work on your part.

G.

Messagelabs spam is real (1)

jcaren (862362) | more than 3 years ago | (#34208274)

This is the response I got from ML when complaining about a 100K image laden pile of HTML tag soup one of thier customers had sent to my address as well as three of my spamtraps. Note ML first asked if I would provide the domain(s) of my spamtraps so they could ask thier cleint to add my spamtraps to thier stoplist.

full discussion on the now defunct spam-l list - note that NOONE stodd up for ML.
Pretty much every commenting stated that ML are hot on inbound spam and dont give a shit about outbound.
They consider themselves TBTB (too big to block)

Messagelabs_Support wrote:

        Hi Jacqui

        I am writing from Messagelabs in regards to a matter whereby you have been receiving unsolicited mail.

        We have been in contact with the senders of this mail and they have agreed to remove you from their mailing lists.

I would have expected that you would have been asking for details
so that you can ask them to provide proof of opt-in to yourself.
Given the above statement there is no way I could provide unredacted information
without compromising what is to all intents a spam trap.

        However, for them to do so, could you please let us know the full e-mail address that this is being sent to as in your posts you have removed the domain name.

You are joking? They have not only hit "web-scrape only" addresses that are
now used as spam traps ( with the odd real request) but they have hit real
life spam traps on systems I manage. This (to me) screams list purchase
or they are running a very cheap web crawler.

        Once we have this we can go back to our client and get them to remove you from your list.

No thanks - obviously you believe that the UBE your client "excretes"
is more important than your reputation. Did you bother to look at the
content (including the very large in-line images) and tag soup HTML.
I ran it through S::A and is screamed SPAM at me!

        We look forward to hearing from you so that we can get this resolved.

I dont know what I can say to this. You obviously have no interest in stopping
these people sending out this trash.

Jacqui

Good for SORBS. They're doing it right. (1)

Animats (122034) | more than 3 years ago | (#34208634)

I agree with SORBS on this. If you run email through a provider which allows any form of "bulk email", "opt-in" or otherwise, once in a while, some spam will come out of their system. That apparently happened here, and SORBS, correctly, blocked them. That's the risk you take if you sign up with an email provider that isn't sufficiently aggressive about spam.

Notice how fast MessageLabs cut off the spam source, and how much effort they put into fixing the problem. Without punishment from an external checker on their behavior, the spam probably would have continued for weeks, if not indefinitely. Because of SORBS' action, the problem is already fixed.

SORBS has, at various times, blocked Google outgoing mail and Postini outgoing mail. As a result, Google and Postini (now owned by Google) had to become much more effective at knocking off spammers. That's what you want to happen.

If security is to be effective, incidents like this have to occur. There will be some collateral damage.

Re:Good for SORBS. They're doing it right. (0)

Anonymous Coward | more than 3 years ago | (#34211748)

lol, I like how you attribute it them improving their systems to SORBS. Realistically, I think SORBS would be a minor part in it if at all. Their goals have always to improve the spam detection/prevention. I also doubt for one moment that Google, Postini, or any other incredibly large mail host has ever caved into the SORBS extortion to get off their RBL's. I also doubt that listing on SORBS directly contributed in expedited systems R&D to produce higher-quality anti-spam measures.

I don't really think anyone uses SORBS anymore. I've been on the spam.dnsbl.sorbs.net list for a good 3 months (because ONE email went to some isux.com address - I know, I went through the logs). I've only had ONE problem with a publisher that rejected us for being on that ONE RBL. I emailed the admin and either got him to stop using SORBS or whitelist us. Not sure which.

Keep in mind, we're not huge, but we do have over 3k active email accounts, with several alumni of various universities (ex profs, grad students, etc), and they tend to be 'chatty' with the email. Also, they're usually the first to tell me when we've got some bizarre problem.

Anyways, I'd drink a toast to hoping SORBS goes up in flames. Of all the RBLs I've dealt with, I've always hated dealing with them the most. And their holier-than-thou, "you must adhere to our failed RFC" attitude just sealed it for me.

Agreed, 110%... apk (0)

Anonymous Coward | more than 3 years ago | (#34217984)

"If security is to be effective, incidents like this have to occur. There will be some collateral damage." - by Animats (122034) on Friday November 12, @12:48PM (#34208634) Homepage

Well put, & per my subject-line above, I agree... 110%!

E.G.-> I go thru "false positives", (and yes, their removals too) while I build a custom HOSTS file here, so the idea's much the same!

(Except perhaps for the fact I have sources & sites I can "verify against" as far as a site being a false positive, and my sources also put out "removal lists" for sites/servers/hostsnames/domainnames that clear their criteria (or have cleared themselves up & proven to have done so)).

It happens, and yes, it's a fact of life with blocklists/blacklists, of any kind!

APK

P.S.=> Thank goodness the "false positives" rates are SO tiny though, @ least on HOSTS files (less than .001% so far for the past 15 or so years of mine's total entries, which is built off all the reputable & respected + well-known HOSTS files out there today)... apk

SORBS sucks (1)

drechsau (89239) | more than 3 years ago | (#34218554)

LONG LIVE SORBS

Worst block list ever.

As a service provider - we have given up - if an address is listed we send an email off and then move about our path in life.

Always sucked, always will, users who use SORBS deserve what they receive, unfortunately.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?