Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

SORBS - Is There a Better Spam Blacklist?

Cliff posted more than 7 years ago | from the blacklists-in-general-are-like-this dept.

Spam 226

rootnl asks: "Recently I decided to upgrade my email server with better spam detection and decided to use the SORBS blacklist. It is a very aggressive blacklist and could be deemed quite effective. However, I discovered two totally legal servers currently being blocked by their Spam 'o Matic service: a Google Gmail server (64.233.182.185), and another server belonging to an ISP called Orange (193.252.22.249). Now, normally one would think these providers would probably get themselves de-listed, but the process provided revolves around donating money. As I just happen to have a friend that is using the said ISP, I have to seriously reconsider using SORBS. What is your experience with SORBS? If you have alternatives, what would you suggest as a better blacklist service?"

cancel ×

226 comments

Sorry! There are no comments related to the filter you selected.

How About? (1)

elzurawka (671029) | more than 7 years ago | (#17470912)

This [slashdot.org]

Re:How About? (0)

Anonymous Coward | more than 7 years ago | (#17470972)

That is a list of web pages. This is about email spam on a LAN level. Stop typing open eyes.

Dunno about better (5, Informative)

melonman (608440) | more than 7 years ago | (#17470940)

But avoid SPEWS like the plague. They have a wonderful policy of blacklisting entire 16-bit IP ranges because one machine in an enormous server park has been used to send spam.

They know this causes massive collateral damage to machines administrated by totally independent companies, many of them small and liable to suffer severe hardship because of this arbitrary action. That's precisely the idea: they keep hurting non-spammers to make them lobby the server parks to deal with the spammers.

Unless you think that kidnapping children and refusing to return them unless their parents fight the mafia for you is an ethical law-enforcement policy, SPEWS is obviously far far worse than the problem they are allegedly attempting to solve.

Re:Dunno about better (3, Insightful)

Brightest Light (552357) | more than 7 years ago | (#17471038)

What exactly is an RBL operator supposed to do about large server parks that simply do not give a shit about the spammers residing on their network? What do you do about networks that actively aid spammers by moving them around and around to clean IP space as they're blacklisted? Playing IP whack-a-spammer went out of fashion years ago, and obviously asking politely doesn't work. Yeah, finding your ISP listed on SPEWS sucks, because there's no real way to contact them; though you can beg in NANAE and NANABL for the entertainment of the wannabe 'spam-fighters' till you're blue in the face -- but if your ISP does not care about the fact that one of their customers is stealing bandwidth, CPU cycles, and time from other people and their ISPs, what else can SPEWS do about it? My understanding of the SPEWS escalation process is that they notify the ISP about the spammer on their network, and then if nothing is done, they list the surrounding IP blocks in an ever-increasing fashion. Meaning if the ISP simply does not care that there's a spammer on their network, they are made to care by virtue of their entire netspace being (eventually) listed. What else *can* an RBL operator do when the ISP does not listen or care? I ask this as a serious question. IANASFBFNANAE (I am not a SPEWS fan boy from NANAE) - in fact, I don't directly use RBLs any longer.

Re:Dunno about better (1)

91degrees (207121) | more than 7 years ago | (#17471118)

Most blocking lists will ist the entire ISP if they'r causing a problem. SPEWS only lists the entire netblock. And often seem to list based on pretty arbitrary criteria. There are ISPs listed by SPEWS that last had a spammer several years ago but SPEWS continues to list them for reasons that are not shared by any other ISP, ISPs listed that haven't hosted spam, and ISPs that don't even exist any more. And the slight lack of logic of blocking email from addresses that only host websites.

That and SPEWS hasn't been updated for 4 months which suggests to a lot of people it's a dead list.

Re:Dunno about better (1)

scdeimos (632778) | more than 7 years ago | (#17472096)

And the slight lack of logic of blocking email from addresses that only host websites.

Whilst I have no experience with SPEWS, I have worked with ISP's and webhosting providers in the past. Blocking IP's that "only host websites" makes perfect sense when those web sites host brain dead form-to-mail scripts/executables (ie: sender and recipient addresses can be supplied as form parameters) - it's as good as advertising free SPAM zombies.

Re:Dunno about better (1)

mvdwege (243851) | more than 7 years ago | (#17472258)

SPEWS only lists the entire netblock. And often seem to list based on pretty arbitrary criteria.

I tend to hear that a lot. Funnily enough everyone posting these kind of complaints about SPEWS never seem to add any examples.

So, care to give examples?

Mart

Re:Dunno about better (1)

ohtani (154270) | more than 7 years ago | (#17472502)

I certainly can!

My previous dedicated hosting provider was somehow inner-twined for being a spammer, when I know they would have and probably did indeed delete said spammer's account and remove their server right away. And that's assuming they even had spammers in the first place!

The case I saw seemed to be that my host was a "Sister's Daughter's Pet's Vet's Mother's Husband" type relationship. And because I was on that host I was affected too! Thank god almost nobody that was receiving e-mail being sent through my server actually USED SPEWS.

Re:Dunno about better (1)

mvdwege (243851) | more than 7 years ago | (#17472852)

That is not a verifiable example. That is hearsay.

What was the name of that provider? What was the netblock being 'blocked'?

Mart

Re:Dunno about better (1)

91degrees (207121) | more than 7 years ago | (#17472970)

Spews doesn't seem to be working for me right now so I can't provide numbers. However, I have seen an IP address that appears to be listed for a popular and quasi legal scam (reprehensible - yes but they're not spammers). I've also seen a few listings for companies that haven't existed for some time and listings where the only apparent spamming from the IP address was one which had sent spam for a total of 2 weeks some years ago, and then been stopped.

Re:Dunno about better (1, Troll)

melonman (608440) | more than 7 years ago | (#17471220)

The error in your reasoning starts when you assume that self-appointed do-gooders have the right to infringe the rights of third parties. (I'm not going to answer any posts about how actually it's just a list and no-one has to use it bla bla - save it for the bar-room barristers.) Vigilantes are always a menace, especially when they have a policy of hurting the innocent.



I think there's a pretty fundamental difference between a quasi-domestic ISP and a server park running dedicated servers which are the legal responsibility of completely independent companies. The only reason my machines share an IP range with spammers is because (like almost everyone), I'm not rich enough to buy my own pipe and deal directly with IANA.


And SPEWS' policy didn't make me put pressure on my ISP, it just made me vow never ever to use SPEWS on any server I have anything to do with, and to bitch about SPEWS on every possible occasion until the end of time. Part of fighting spam is getting the masses on the side of fighting spam, and I'm afraid that my starting position with anyone fighting spam now is "Is this just a cover for inflicting pain on the innocent?"


If the SPEWS ban had become a real problem I would rather have paid for a separate clean SMTP server [gradwell.net] than cave into the spam mafia. It's not that I like spam, I just hate bullies more. (We have since changed server parks, but this had nothing to do with SPEWS or spam.)


The good news is that, from my experience, almost no-one I ever wanted to send mail to uses SPEWS. That's the flip-side of blocking huge IP ranges in order to feel important: people with a life realise that being able to email more than 5% of the IP range is A Good Thing and simply sideline you.

Re:Dunno about better (1)

91degrees (207121) | more than 7 years ago | (#17471330)

I'm not going to answer any posts about how actually it's just a list and no-one has to use it bla bla - save it for the bar-room barristers.

Indeed. It's pedantry. And a rather cowardly refusal to accept responsibility for their actions. If I had a blocking list, then I'd say with pride that I block spam, and some list maintainers do this.

Some people do use SPEWS simply as a preventative spam blocking system. SPEWS itself doesn't claim to be any more than this. It's a bit heavy on the false positives but if people prefer things that way then who are we to criticise? The problem comes from the NANAE fanatics who insist that SPEWS is a punishment mechanism.

Re:Dunno about better (1)

geminidomino (614729) | more than 7 years ago | (#17471680)

Indeed. It's pedantry. And a rather cowardly refusal to accept responsibility for their actions. If I had a blocking list, then I'd say with pride that I block spam, and some list maintainers do this.

You mean like Joe Jared [oretek.com] , or maybe the NANAE Nine? [pcworld.com]

Lawyers are the only creatures on the planet with less scruples than spammers. Prudence does not necessarily equal cowardice.

Re:Dunno about better (2, Insightful)

meringuoid (568297) | more than 7 years ago | (#17471850)

The error in your reasoning starts when you assume that self-appointed do-gooders have the right to infringe the rights of third parties.

Is it the right of the owner of a mail server freely to accept or refuse messages at will? Is it his right to define whatever rules he wishes for the acceptance or rejection of email? Is there anybody in the world who has the right to order him to do otherwise?

If the answers are 'yes', 'yes' and 'no' respectively, I submit to you that it is those who would silence SORBS, SPEWS and the like who are infringing the rights of third parties, by ordering mail admins to only use means of filtering email of which they personally approve.

Re:Dunno about better (1)

91degrees (207121) | more than 7 years ago | (#17472322)

You know, I don't think many people really have a problem with people using SPEWS just as a blocking mechanism. They might think it's a crappy list, but there are other pretty hopeless lists that don't offend anyone nearly as much.

What gets people upset is when it changes from a blocking tool to some sort of police service, and people use it to bully ISPs to behave in a certain manner, or bully their customers to change, or various other irritating things that a lot of SPEWS advocates (but not SPEWS itself) do.

Re:Dunno about better (1)

epine (68316) | more than 7 years ago | (#17472004)


The error in your reasoning starts when you assume that self-appointed do-gooders have the right to infringe the rights of third parties. (I'm not going to answer any posts about how actually it's just a list and no-one has to use it bla bla - save it for the bar-room barristers.)

You have some gall beginning your post with an analysis of the error in other people's logic while predicating your argument on rights that don't exist and then insisting that if anyone points this out you'll stick your fingers in your ears and hum "nya nya nya nya". Sounds a lot like the behaviour of the ISPs you are seeking to defend.

I wish I had a moderation button that would add your introductory remarks to your slashdot sig for all time.

Re:Dunno about better (0, Flamebait)

Pig Hogger (10379) | more than 7 years ago | (#17472144)

And SPEWS' policy didn't make me put pressure on my ISP, it just made me vow never ever to use SPEWS on any server I have anything to do with, and to bitch about SPEWS on every possible occasion until the end of time.
Then you totally missed the point. It is not SPEWS that blocks you, it's the networks who use SPEWS that do.

And no amount of bitching is going to solve your problem, which is that you are supporting a spam-friendly ISP. And for this, you deserve to be listed.

Re:Dunno about better (0)

Anonymous Coward | more than 7 years ago | (#17473228)

, which is that you are supporting a spam-friendly ISP. And for this, you deserve to be listed.

And this is the stupid attitude that makes people hate SPEWS so much. Who says its a spam supporting ISP? SPEWS does, but are they right? Why should we listen to SPEWS? Why should we give a damn what SPEWS thinks? SPEWS hides away in its secret lair somewhere deciding X is a spammer, Y is not a spammer, and anyone who is listed is, for some reason, expected to immediately jump and guess what will mollify SPEWS, or post on a public newsgroup and essentially beg to be removed, where they wil lbe told what they need to do by peopel who make it perfecrtly cclear that they don't represent the organisation.

You want to use them for listing. Fine. But what makes you think other people should give a damn about their opinion? It's the mail admins whop are doing the blocking. Not the spammer. The mail admin should accept responsibility for what they're doing and not blame it on someone else.

Re:Dunno about better (0)

Anonymous Coward | more than 7 years ago | (#17472276)

Change your name from "melonman" to "melonhead".

Re:Dunno about better (1)

Scarblac (122480) | more than 7 years ago | (#17471400)

What they can do is list the IPs from which spam has originated. Period. That's what they're supposed to do.

Re:Dunno about better (1)

Pig Hogger (10379) | more than 7 years ago | (#17472164)

What they can do is list the IPs from which spam has originated. Period.
And you will have as much spam as before.

Spam-friendly ISPs will regularly give different Ip addresses to spammers.

SPEWS stands for SPam Early Warning System. That is, it BLOCKS spam BEFORE it leaves the network, in anticipation of the ritual spammer IP address change. And that can only be achieved by listing the whole IP range of the spam-friendly ISP.

Re:Dunno about better (1)

LurkerXXX (667952) | more than 7 years ago | (#17472848)

No, that's what YOU think they are supposed to do. Myself, I like to know what asshole ISPs are out there that like to host spammers and give them a new IP every day, and just block the whole crappy ISP. If you want your mail to get to my mail server, start using another ISP with ethics, otherwise I'm just going to bounce everything you send because I'm tired of dealing with all the crud from your ISP. That's what I want them to do. :)

Re:Dunno about better (1)

Ed Avis (5917) | more than 7 years ago | (#17471414)

It's not the RBL's job to fight spam, only to give an honest estimation of how likely a particular IP address is to be a spammer. People can then use this to configure their mail system to filter out most spam and let through most legitimate mail.

If SPEWS feel the need to punish ISPs for their behaviour, they need two classes of blacklist: one that says 'this address sends spam', and one that says 'this address probably isn't a spammer, but it belongs to a Bad Network'. Then let users choose for themselves whether to take part in the crusade.

Re:Dunno about better (2, Informative)

mvdwege (243851) | more than 7 years ago | (#17472268)

If SPEWS feel the need to punish ISPs for their behaviour, they need two classes of blacklist: [...]

People would take you a lot more seriously if you would do your homework before making bold statements.

Hint: try reading the SPEWS FAQ and looking at the database before spouting off.

Mart

Re:Dunno about better (1)

Ed Avis (5917) | more than 7 years ago | (#17472598)

spews.org is missing from DNS for me for some reason, but thanks for the correction. If this is indeed the case, then I wonder what all the fuss is about.

Re:Dunno about better (1)

mvdwege (243851) | more than 7 years ago | (#17472934)

OK, I'm assuming your ignorance was not malicious. Yes, SPEWS does use multiple levels of blocking, for sources that are positively identified as either being spam sources or belonging to a provider that does not appear to have decent abuse handling they publish a list that can be used for blocking, and for other sources they use a list that is merely 'watched' (and expressly advised not to be used as an RBL).

Although the fact that they haven't been updated since August worries me a little. Possibly the SPEWS admins suffer from burn-out? Or they have concluded that others do the same work much better (like e.g. Spamhaus)?

Mart

Re:Dunno about better (3, Informative)

Lost Race (681080) | more than 7 years ago | (#17471488)

SPEWS is probably not relevant any more. There have been no changes to the published DNSBL zones since 2006-08-24; apparently the database is no longer being maintained.

Re:Dunno about better (1)

fractalus (322043) | more than 7 years ago | (#17472190)

What's you're supposed to do is suck it up and take it like a man.

Let me explain. You have to decide what it is you're trying to accomplish as a blacklist operator. Are you trying to advise people of spam sources? Or are you trying to punish spammers and their friends?

If you're just trying to advise people of spam sources, so that they can choose not to receive mail from spammers, then do just that. List spam sources, and stop there. Mission accomplished, although spammers will move around and you'll have to maintain your database. Don't like that? Don't run a blacklist.

If you're trying to punish spammers, or you're trying to evict them from the internet, then you're probably OK with the whole collateral damage thing. And that's fine... just be honest with your blacklist users that that's what you do, so they can make an informed decision about whether you're trustworthy or not.

The biggest problem with blacklists is that their operators tend to start out with the first attitude, but as the maintenance grinds them down, they shift over to the second group. So most blacklists start off well-intentioned before sliding down into ethics almost as questionable as the spammer.

Re:Dunno about better (1)

LurkerXXX (667952) | more than 7 years ago | (#17472946)

Don't like that? Don't run a blacklist.

Wow, I'm glad they have you to tell them how they have to run a blacklist.

FYI, some ISPs give spammers new IP addresses every day. IMO there's just one way that should be dealt with, block the ISP entirely. There's no need to take in new spam every day until you catch that day's list of IPs from that ISP. Just blocking the ISP is much more efficient. If there is collateral damage, that's the fault of the crappy ISP.

Don't like how they run their blacklist? Tough. Don't use it. Others who like it will. They don't have to 'not run a blacklist' because you aren't happy about it.

Re:Dunno about better (1)

iangoldby (552781) | more than 7 years ago | (#17472342)

What exactly is an RBL operator supposed to do about large server parks that simply do not give a shit about the spammers residing on their network?

The original post explained why the end does not justify the means. You 'counter' it by insisting that since you can't think of anything better the end does justify the means. Welcome to rational debate.

Not that I'm blaming you - and you did say that you don't use RBLs anymore.

Perhaps since there is no 'rational' answer to this question of priorities, the best solution is to let the people who are affected by the collateral damage - i.e. the email recipients - decide on their priorities for themselves.

Re:Dunno about better (0)

Anonymous Coward | more than 7 years ago | (#17472458)

SPEWS is a menace!

I used to work for a hosting company that got a new customer that turned out to be a major spammer. When the complaints started we started the process of terminating this customer but this was impeeded due to the fact that all messages from SPEWS and most other RBLs were anonymous and due to legal reasons a complaint had to be from a known person in order for it to be usable in the process. It was also impossible to respond to the complaints or correct errors, the latter turned out to be important because as we terminated the spamming customer, SPEWS refused delisting because the IP's were still in use... Which they weren't but they had got the range in question wrong. This entire matter was closed in early 2002 and the listing still stands, despite attempts at having things delisted several times since (which resulted in nothing but ridicule from NANAE). There has not been a single major complaint since 2002 (their evidence file has not been updated at all) and they still lists this hosting company as a major spam heaven, listing their entire allocation full throttle.

Re:Dunno about better (1)

TheDawgLives (546565) | more than 7 years ago | (#17472996)

That doesn't work in a business setting. As an e-mail system manager, I get heat for letting in spam but I get a LOT more heat for blocking legitimate business related e-mail. And my bosses don't care about RBLs and ISPs that allow spam, they just want their e-mail. Just yesterday dnsrbl.sorbs.net blocked an e-mail from an sbc mail server. I had to switch to safe.dnsrbl.sorbs.net. That doesn't block as many IPs because it doesn't include the escalations.
It would be nice to punish brain-dead ISPs, but in the business world you'd just be punishing yourself.

Re:Dunno about better (0)

Anonymous Coward | more than 7 years ago | (#17471426)

I disagree.

Why? Well, I think the ISP in this question is acting 'as the mafia don'. He usually doesn't involve himself with the criminal activity itself - but he gets a cut of all the money.

This is like saying "We don't want to talk to you, if you pay money to the mafia don" (the ISP).

Re:Dunno about better (1)

Pig Hogger (10379) | more than 7 years ago | (#17472132)

But avoid SPEWS like the plague. They have a wonderful policy of blacklisting entire 16-bit IP ranges because one machine in an enormous server park has been used to send spam.
They know this causes massive collateral damage to machines administrated by totally independent companies, many of them small and liable to suffer severe hardship because of this arbitrary action. That's precisely the idea: they keep hurting non-spammers to make them lobby the server parks to deal with the spammers.
Bullshit. SPEWS policy is extremely simple: one spam will list THE IP, and it is only if abuse complaints regarding spam are NOT resolved that the listing is escalated until the whole ISP is blacklisted.

SPEWS is a list of spam-tolerant ISPs.

The hardship cast upon smaller clients of the ISP is brought to them only by their indirect support of spammers through their direct support of spam-friendly ISPs.

Now if one wants a less aggressive blacklist, one can always look at Spamhaus [spamhaus.org] .

Re:Dunno about better (1)

Temsin (744821) | more than 7 years ago | (#17472494)

You needn't worry about SPEWS. It is already dead: http://mirror.bliab.com/spews/ [bliab.com] .

Expect SORBS to be kicked off the servers they are on for financial fraud pretty soon.

In case you didn't know: SORBS also hosts the SPEWS blacklist.

As you've guessed, both blacklists are nothing but extortion rackets.

Re:Dunno about better (1)

Tinfoil (109794) | more than 7 years ago | (#17472584)

My current employer was listed on SPEWS for this very reason. However, my provider did deal with the issue in a very quick and timely manner, IMHO, by shutting down the spammers account within 24 hours of my bringing it to their attention, but SPEWS took their damned time removing the block. It caused some rather large headaches for a week or two as our primary vendor supplying 80% of our stock was utilizing SPEWS.

SPEWS is bad. SORBS isn't horrible. The problem with many block lists is that they are, more often than not, staffed by anti-spam militants and really don't give a rats ass if their lists cause problems as long as they themselves do not get spam. They, somewhat understandably, spout "If you don't like it, you don't have to use it", which I can't argue with.

Re:Dunno about better (1)

mrmeval (662166) | more than 7 years ago | (#17472924)

The server park can deal with the asshat spammer or lose business.

All I ask.. (1)

NoxNoctis (936876) | more than 7 years ago | (#17470948)

is that you not use SPEWS. Oh the pain that "list" causes me.

I use SPEWS (0)

Anonymous Coward | more than 7 years ago | (#17472626)

and if you don't like that, you can kiss my ass.

Never ever... (2, Insightful)

cyberrobo (635771) | more than 7 years ago | (#17470974)

...use RBLs at SMTP-Level without any kind of scoring algorithm (only block when $x out of $y RBLs have the IP listed) unless you don't care about your mails. There have been major fuckups with single RBLs in the past and there will be such in the future. Especially with SORBS. See http://www.google.com/search?q=sorbs+sucks [google.com] .

I thought that'd be common knowledge by now, but apparently I'm mistaken.

Re:Never ever... (1)

geminidomino (614729) | more than 7 years ago | (#17471692)

How many Scoring Algorithms can be used during the DATA phase?

Re:Never ever... (1)

swillden (191260) | more than 7 years ago | (#17472262)

How many Scoring Algorithms can be used during the DATA phase?

Any scoring algorithm that relies only on the sending server IP address, HELO data, MAIL FROM, and RCPT TO can be done prior to DATA. There are plenty of tools that implement an SMTP server front-end and do scoring at this level, and blocking based on the score.

SURBL (5, Informative)

tootired (91527) | more than 7 years ago | (#17470988)

SURBL is a URL blacklist.

Employing it enables your spam software to block emails that have matching blocked urls in the message body.

I have not gotten any false positives with it and it blocks a ton of nasty phishing stuff in addition to the usual SpermaMAXX crap.

Expect many false positives (3, Informative)

dtfinch (661405) | more than 7 years ago | (#17471018)

All the blacklists I know have a tendency to block entire ISPs rather than just the ranges known to generate spam, if they think the ISP isn't taking sufficient action against its spammers or spambot infected customers.
Blacklists and whitelists are useful, but I wouldn't use them as the sole indicator of whether or not an email is spam.

Re:Expect many false positives (1)

dtfinch (661405) | more than 7 years ago | (#17471108)

Pretend I said "blacklist" instead of "block", since the lists don't do the blocking.

Re:Expect many false positives (1, Informative)

Anonymous Coward | more than 7 years ago | (#17471374)

The point of blocking a rogue ISP, rather than just "the ranges known to generate spam", is simple. If the ISP has made it clear it has a policy of permitting its services to be used to generate spam, then any and all of its IP addresses are likely to be used by spammers within short notice. Spammers are aware of when they're blocked, and if the ISP is on the spammers' side, they will happily hand the spammer new IP addresses every time the old ones get blocked.

Trying to keep spammers blocked when the ISPs are moving them around is called "whack-a-mole" and it is a pointless endeavor.

ISPs have a choice not to willingly host spammers. They don't have to become super-duper spamfighters in order not to get blocked. All they need to do is not host spammers. It's really not that hard! Just consider: if you're an ISP and someone calls up and says they want to be your customer, and you find out that they want to sell penis pills and horse porn, use your common sense! The ISPs that are willful spammer hosts at this point are the ones which have thrown their lot in with the spammers, and to hell with the rest of the net.

Want to know where the spammers are? Check this list. [spamhaus.org] The ISPs with the worst spammer problems are Verizon Business, Serverflo, and SBC. If you choose to host with these ISPs, you are moving into a neighborhood where the "government" (the ISP) is already proven to be in bed with the Internet's largest native criminal element. If you do this, you should expect the rest of the world to treat you with some suspicion.

SORBS should be shut down. (5, Interesting)

finchwizard (889672) | more than 7 years ago | (#17471022)

I'm sorry but SORBS should be shut down. The amount of time I myself and many colleagues have managed to get onto SOBS because we were classed as a dynamic IP range, despite having blocks of IP's and it's extremely hard to get off it. I understand blocking people with Open relay servers, but being in a dynamic range, which can mean IP's being assigned to you from your ISP is a joke. Everyone should be boycotting these guys, two of the large ISP's in Australia use these guys to filter out spam, and are being blocked by small business's and Education. I've never posted comments on Slashdot yet, but this is one I feel very strongly on, and SORBS should be avoided at all costs. If they deem you a Spammer, despite proving to them you are not, they still reserve the right to keep you on the list and completely screw over your business.

Re:SORBS should be shut down. (2, Interesting)

CowboyBob500 (580695) | more than 7 years ago | (#17471060)

I use SORBS precisely because they block dynamic IP ranges. 99% of spam comes from trojaned machines on dynamic IPs and I find this extremely effective at blocking spam. If your mailserver lives on a dynamically assigned IP then that is your problem. In my opinion a mail server should ALWAYS be on a static IP - I view it as a sign of a trusted mail server. If your ISP can't provide this, then you need to change your ISP. I'm sorry, but I have absolutely no sympathy in this situation. There is no reason for a real business to rely on dynamic IPs on their servers.

Bob

Re:SORBS should be shut down. (4, Insightful)

finchwizard (889672) | more than 7 years ago | (#17471106)

All 30 IP's I rent are Static, and that has never changed over the years I've owned them, my servers are also running Linux and are very secure with both Spamassassin and ClamAV scanning, as well as blocking certain mimetypes. So don't give me dynamic IP range stuff, I was lucky that my ISP managed to straighten them out, but I've had friends that aren't as lucky. Of course SORBS is going to block a high rate of spam, it's also blocking a lot of legitimate people, and the fact they are extorting people to get off the list is ludacris.

Re:SORBS should be shut down. (1)

LurkerXXX (667952) | more than 7 years ago | (#17473114)

I use spamd and RBLs and don't have to waste CPU cycles on Spamassasin, so don't give me any of this dynamic IP ranges are ok stuff...

He's free to use the tools he likes to do the job. It's his mail server folks are trying to talk to. He's free to reject whoever he wants and for whatever reason.

Re:SORBS should be shut down. (0)

Anonymous Coward | more than 7 years ago | (#17471266)

I think parent posters concern was that SORBS falsely identifies a static IP range as dynamic. I can see them maybe blocking IP addresses in a range that they think are all dynamic (maybe blocking an entire /21 or /22), but AFAIK SORBS really has no way of knowing for sure unless they have detailed information on an ISP's IP addressing layout and policy.

Re:SORBS should be shut down. (1)

geminidomino (614729) | more than 7 years ago | (#17471710)

AFAIK SORBS really has no way of knowing for sure unless they have detailed information on an ISP's IP addressing layout and policy.

That's what rDNS is for. If it's not working, they should contact their isp.

Re:SORBS should be shut down. (1)

c_g_hills (110430) | more than 7 years ago | (#17471066)

SORBS does not block anybody. It is simply a tool used by postmasters to make decisions about what messages they wish to accept.

Re:SORBS should be shut down. (1)

91degrees (207121) | more than 7 years ago | (#17471364)

Interesting. Why do you think this matters? Is there some shame in blocking IP addresses?

Re:SORBS should be shut down. (0)

Anonymous Coward | more than 7 years ago | (#17472344)

What does that remind me of? Oh yeah:

SORBS doesn't block people, sysadmins block people!

Re:SORBS should be shut down. (1)

tacocat (527354) | more than 7 years ago | (#17471536)

I agree with this assessment. SORBS is one of those spam fanatical groups that should be convinced they need a regime change. They are way too aggressive.

One RBL list that I was using briefly because of false positives still had an interesting approach. They blocked anyone who was reported as delivering spam for 45 minutes and then removed from the list. Problem for me what they blocked my mailing lists that I subscribe too.

They should never report mailing lists as sending spam. The mailing lists are trying to sort their own out and to block them causes a lot of damage.

Re:SORBS should be shut down. (1)

iangoldby (552781) | more than 7 years ago | (#17472284)

I don't think anyone who administers email on behalf of others should use SORBS. If you use the SORBS lists to block email, some legitimate email will be blocked. You can only really justify use of SORBS in this way if everyone affected understands and is happy with this situation.

I object to SORBS on ideological grounds - that its fee for delisting is about as close as you can get to extortion without actually breaking the law.

It is also frighteningly easy to get listed. They look after a number of 'secret' spam-trap addresses. They operate a 'three strikes and you are out' policy with these trap addresses. That is, on the third instance of a server sending an email to a SORBS spam-trap address, that server will be blacklisted. Blacklisting is permanent if you don't pay the delisting fee.

The usual argument is that server administrators are responsible for preventing their servers from being used for spam. That's all very well, but if a malicious (or just stupid) user sent just three emails to SORBS spam-trap addresses, that server will be blacklisted immediately. No 'if's, no 'but's. How is an administrator expected to prevent that?

In summary, I would recommend everyone to steer well clear of SORBS, unless used strictly as part of a scoring system. If you do use SORBS, make sure that everyone affected understands the consequences of collateral damage and is happy that some legitimate emails to them will be blocked.

Large ISPs that block emails using SORBS are being totally irresponsible.

(You can read a bit more about my battle with NTL here [goldby.net] , for what its worth.)

Orange = Wanadoo (4, Informative)

grahamm (8844) | more than 7 years ago | (#17471034)

Orange is part of Wanadoo who are known to be both spam friendly and to host spamvertised web sites. So maybe listing Orange is not such a bad idea.

Re:Orange = Wanadoo (3, Informative)

Ksempac (934247) | more than 7 years ago | (#17471932)

First Wanadoo doesnt exist anymore. Second Orange has never been part of Wanadoo. Wanadoo was the ISP branch of France Telecom (the main phone company in France), who bought the British mobile phone company Orange. Then they decided to merge all their mobile phones/ISP services in Europe (including Wanadoo and Orange, but also many others) into one single company called Orange [wikipedia.org] . Third, before saying some company is spam friendly, you should get some reliable source.

But pretty much EVERY ISP is spam-friendly (2, Interesting)

Anonymous Brave Guy (457657) | more than 7 years ago | (#17472886)

The problem with this argument is, as usual, collateral damage. While there may be a spammer using Wanadoo somewhere, there are also many legitimate users who will be caught in the blast radius.

Before anyone replies with the usual holier-than-thou "Well they should change their ISP then", please consider that this is not trivial for a lot of people. Moreover -- and here's the real kicker -- pretty much every ISP is "spam-friendly" because, as the recent spam wave has demonstrated all too clearly, pretty much every ISP has lots of compromised machines running on it, and those machines can be abused without the informed consent of either their owner or the ISP.

it's not the providers job to delist themself (2, Insightful)

tolonuga (10369) | more than 7 years ago | (#17471046)

if you run a anti spam filter, it is your job to make sure your data is accurate.
but if you think your users would pressure some admin so they get back to you,
that is keeping mails hostage and not an acceptable practice.

if you do that, it is not part of the solution, it is part of the problem.

Use spam assassin with more that one RBL (3, Insightful)

simm1701 (835424) | more than 7 years ago | (#17471050)

I prefer to use spam assassin and use a couple of RBLs with various weightings on each.

I keep the weightings quite low since I find most of the RBLs too agressive - added to the bayes and other checks however it is quite good at pushing spam into the right destination (and for the very spammy thats /dev/null)

True this means I actually have to receive and process the mail rather than just arbitarily ignoring connections, but my mail server doesn't really get that much traffic as its only personal use.

Re:Use spam assassin with more that one RBL (4, Informative)

Zocalo (252965) | more than 7 years ago | (#17471222)

To extend on that I also have a META rule set up to handle DNSBLs in SpamAssassin that adds some additional points based on how many RBLs each IP address has hit. A server on one DNSBL may be a false positive or an over aggressive listing, but if it's on three or four then it's almost certainly spam and gets an extra couple of points towards being classed as spam. If it matches five or more, then it gets an instant +50 file in the mailbox "/dev/null" score.

Re:Use spam assassin with more that one RBL (1)

SuiteSisterMary (123932) | more than 7 years ago | (#17473376)

That's elegant. Can you share?

Re:Use spam assassin with more that one RBL (1)

Anonymous Brave Guy (457657) | more than 7 years ago | (#17472968)

Yes, combination techniques are definitely the way to go. Any one RBL (or content test for that matter) can be fooled or make a mistake. Fooling many such tests or accidentally hitting all of them is much less likely.

Looking at the filtered headers for a system I admin, which catches nearly all incoming spam and very rarely (perhaps once in six months) gets any false positives, the vast majority of the real spam is picked up by several RBLs, and then fails several of the content tests as well.

There is simply no need to rely on any single point of failure in spam control, and given the notorious unreliability of several major RBLs, it would be insane to do so.

Freedom2Surf (3, Interesting)

Phil John (576633) | more than 7 years ago | (#17471064)

They're currently allegedly trying to extort money from a UK ISP Freedom2Surf (sadly now part of the Pipex group).

By default SORBS apparently block all dynamic IP's. For some strange reason they've deemed that 8192 IP's that are actually in the F2S static range are dynamic because the reverse DNS includes the IP address.

I've heard that they want $50 per IP to unblock them. They wont even talk to users who have static IP address in that range to get the block lifted.

Re:Freedom2Surf (0)

Anonymous Coward | more than 7 years ago | (#17471234)

Read the SORBS Dynamic IP removal information carefully - You might notice that they ask you to conform to an RFC that the founder of SORBS wrote himself. Suss, or what?

Answered by editor (1)

dtfinch (661405) | more than 7 years ago | (#17471086)

"from the blacklists-in-general-are-like-this dept."
That about sums it up.

SORBS should be avoided at all costs (4, Informative)

Anonymous Coward | more than 7 years ago | (#17471202)

Several reasons why:
Large netblocks will be repeatedly put onto one of their lists if they dont comply with the founder/main admin's idea of how reverse dns should be configured. They will list IP blocks that dont conform to an RFC that funnily enough, he wrote.

Getting in contact with them in any reasonable timeframe is damn near impossible in any timely manner.
Primary/Secondary SMTP servers of ISP's will often by listed as part of their blanket block approach.

They continually block whole IP ranges that are statically assigned, often automatically with seemingly no human oversight. There can be found many complaints on assorted web forums across the net, especially australian, full of people trying to figure out why they were listed on one of the sorbs lists, and how to be removed.

Almost all of the issues i have run into with SORBS dont seem to have anything to do with eliminating spam, more to do with pushing the founders RFC for reverse lookups. Comply, and you are free from hassle forever. Fail to comply, and face loosing SMTP access to any providers using SORBS for anythere from a day to over a week.

Re:SORBS should be avoided at all costs (1)

Pig Hogger (10379) | more than 7 years ago | (#17472204)

Large netblocks will be repeatedly put onto one of their lists if they dont comply with the founder/main admin's idea of how reverse dns should be configured. They will list IP blocks that dont conform to an RFC that funnily enough, he wrote.
If it's in an RFC, it's the law.

Re:SORBS should be avoided at all costs (1)

sparks (7204) | more than 7 years ago | (#17472238)

This is categorically not true. An RFC is a request for comments. A suggestion. That's all. No one is required to comply with anything in an RFC.

Re:SORBS should be avoided at all costs (1)

sparks (7204) | more than 7 years ago | (#17472294)

It's not even an RFC. It's a badly written and expired draft.

Linked here [ietf.org]

There is absolutely no chance of this becoming an RFC. It's utterly facile.

SORBS!!! I'd like to ABsorb the so-and-so's!!! (5, Interesting)

Anonymous Coward | more than 7 years ago | (#17471206)

I have a fixed IP address provided by my ISP. I run my own servers and have done for nearly 10 years. My servers are not now, and have never been Open Relay. I have run every possible test to make sure that is the case. SORBS, in their infinite wisdom, deem my address to be dynamic because it is part of a permanently leased dynamic range, so they block me, and therefore I cannot send email to anyone using two of the major ISP's in Australia. I have emailed sorbs and asked them to check my server. No response. I have spoken to the Telecommunications Industry Ombudsman in Australia, who tell me they can't do anything, that I should talk to "The Australian Communications and Media Authority", but if you are to check the SORBS site it specifically mentions that "The Australian Communications and Media Authority" have no influence over them at all. I have threatened SORBS with legal action. No response. Basically, they don't care less that I can't send email to the majority of Australia's internet users, because I won't donate money to them.

If you visit their site their tag line says "Fighting spam by finding and listing Exploitable Servers." This really should read "Exploiting small businesses through a cash for delisting scam".

Oh, and I forgot to mention, I've been told that the two major Australian ISP's who use SORBS just happen to form part of the "group of companies as a private venture" that make up SORBS. Interesting huh?

Re:SORBS!!! I'd like to ABsorb the so-and-so's!!! (2, Informative)

Pig Hogger (10379) | more than 7 years ago | (#17472236)

so they block me, and therefore I cannot send email to anyone using two of the major ISP's in Australia. I have emailed sorbs and asked them to check my server.
You're shooting at the wrong duck. You're not being blocked by SORBS, but by the "two major ISPs in Australia". Your beef is with them, not SORBS.

Re:SORBS!!! I'd like to ABsorb the so-and-so's!!! (1)

Anonymous Brave Guy (457657) | more than 7 years ago | (#17473086)

That's a very shortsighted view. We had defamation laws for a reason, and that reason is that while sticks and stones will break your bones, words most certainly can hurt you as well. I don't see why the actions of SORBS -- which sound like a pretty obvious protection racket looking at the comments in this thread -- wouldn't lead to a very fast court case with a very negative result for the operators of SORBS.

Re:SORBS!!! I'd like to ABsorb the so-and-so's!!! (0)

Anonymous Coward | more than 7 years ago | (#17473290)

Sorry, but the defamation would be against your ISP, not yourself since it is their IP block that SORBS is blocking. And if you read SORBS website for what they say about their list, I don't think you are going to find that they have defamed you in any way. The major ISPs in Australia have chosen to use that list to lessen spam. Talk to them about not using SORBS, or get an IP for yourself from another ISP that isn't likely to get themselves listed on SORBS.

Re:SORBS!!! I'd like to ABsorb the so-and-so's!!! (1)

SuiteSisterMary (123932) | more than 7 years ago | (#17473328)

I'd say a little of column a, a little of column b.

I mean, sure, most of the blacklists say 'Hey, don't use this to reject mail completely!' They generally, however, go on to say '*wink wink* if you really want to, though, here's a config file snippet to drop into your mail config. *wink wink*.

Use Surgemail (0)

Anonymous Coward | more than 7 years ago | (#17471210)

We have used Surgemail and are extremely happy with the performance and with the spam/RFC compliance filtering.
check out http://www.surgemail.com/ [surgemail.com] it is platform independant. Works on Windows, Mac, *Nixes

See what works best (1, Informative)

Anonymous Coward | more than 7 years ago | (#17471230)

Multi-RBL check [robtex.com]

Type in a few of your favourite IP addresses. See which lists have fewest missess.

My most recent spamcop report. (0)

Anonymous Coward | more than 7 years ago | (#17471270)

Using XXXX#XXXX@XXXXX.spamcop.net for statistical tracking.
Yum, this spam is fresh!
Message is 0 hours old
85.100.228.125 not listed in dnsbl.njabl.org
85.100.228.125 not listed in dnsbl.njabl.org
85.100.228.125 not listed in cbl.abuseat.org
85.100.228.125 listed in dnsbl.sorbs.net ( 127.0.0.10 )
85.100.228.125 not listed in relays.ordb.org.
85.100.228.125 not listed in accredit.habeas.com
85.100.228.125 not listed in plus.bondedsender.org
85.100.228.125 not listed in iadb.isipp.com
Possible open relay: 216.81.179.210
Yum, this spam is fresh!
Message is 0 hours old
216.81.179.210 not listed in relays.ordb.org.

I can't resist (1)

dethro (22344) | more than 7 years ago | (#17471310)

Either you are for us or for the terrorists.

In my experience RBLs do their job fine. They are an easy way to stop spam and because of that a lot of people use them. Because of this "ease of use" people get mad when a RBL tags an innocent IP addy.

You have to realize this is a war. Much more than 50 percent of email is spam - we have to take drastic measures to provide a basic service - email. If you don't like the way the RBLs operate - use other methods to stop spam. There are plenty of other ways - they just require more attention on your part. Deal with it.

Re:I can't resist (1)

cshotton (46965) | more than 7 years ago | (#17471970)

You have to realize this is a war. Much more than 50 percent of email is spam - we have to take drastic measures to provide a basic service - email.

That is because e-mail is an inherently broken set of protocols that were designed in the 70's as a hack to implement a store and forward message system on the old ARPAnet. If the e-mail industry spent the same amount of effort on engineering a next generation set of e-mail protocols and authentication methods that they spend on hacks like black hole lists, white lists, spam filters, etc., we'd have solved this problem long ago.

The problem is that the e-mail software business is much like the pharmaceutical industry. There's no long-term money in providing a cure. The money is made off of hacks that address symptoms, regardless of their ineffectiveness. The tragedy is that with a few well-considered extensions to the current SMTP standard, integrated public key technology could completely eliminate spam from anonymous or bogus senders.

The real question is why hasn't the IETF addressed this problem and issued standards that correct the flaws? Sure, there is an enormous installed base of broken SMTP servers, but a freely available backward compatible implementation of a new mail infrastructure solves that problem in a few years. So why don't we fix e-mail?

Re:I can't resist (2, Insightful)

sauge (930823) | more than 7 years ago | (#17472228)

There are a large crowd of email maintainers who believe anonymous email is important for political reasons.

I think your right on the mark though with the pharmacy analogy. We were able to implement SMTP to ESMTP quite easily so it shows people can definitely implement changes in protocols.

I also vote with people who think black hole lists are pretty much useless these days because they swallow up so many innocent people/organizations.

It would be nice to have an open source barracuda ( http://www.barracudanetworks.com/ns/?L=en [barracudanetworks.com] ) like box - these things really work well.

SpamHaus, SPEWS and SpamCop (4, Informative)

christophe.vg (742168) | more than 7 years ago | (#17471316)

For a few years now, I'm using three RBL's to filter the incoming mails on our mail server, which hosts a few small-sized customers and some personal domains. The RBL's I use are: SpamHaus, SPEWS and SpamCop. We have set them up in sequence, so that a mail caught by one is not passed to the following anymore.

Looking at two days ...

01/01/07
total mails processed : 1432
considered non-spam : 719 (50.21%)
total number of blocks : 713 (49.79%)
spamhaus : 630 (88.36%)
spews : 2 ( 0.28%)
spamcop : 81 (11.36%)

01/01/06
total mails processed : 381
considered non-spam : 155 (40.68%)
total number of blocks : 226 (59.32%)
spamhaus : 191 (84.51%)
spews : 31 (13.72%)
spamcop : 4 ( 1.77%)

... it shows the trend I've seen over this time: SpamHaus does a great job for me and we haven't received any complaints from the customers concerning people not able to contact them.

Given these (poor-man's statistics) it seems that SPEWS is of little use to us. SpamHaus catches most of the problems. Maybe even if we switched SPEWS' and SpamCop's order, we might see that the latter would be able to catch those mails now caught by the former. It's surely something we're going to try.

On the other hand, it might very well be that SPEWS would catch also all SPAM caught by SpamHaus. Reversing the current order might be a nice test before we come to any real conclusions on which RBL to drop ;-)

The (current) bottom line: For us, SPEWS isn't causing any problems, but also doesn't help us that much. SpamHaus seems to be a great RBL source and SpamCop seems to be a nice addition.

But it doesn't stop all SPAM.

Re:SpamHaus, SPEWS and SpamCop (0)

Anonymous Coward | more than 7 years ago | (#17471532)

Might be an idea to drop SPEWS. Hasn't been updated since August, so it may be dead.

Re:SpamHaus, SPEWS and SpamCop (1)

oldosadmin (759103) | more than 7 years ago | (#17473212)

If you're using SpamCop, you will get hit with some false positives. SpamCop's list is agressive, and lots of innnocent servers get listed in their rbl. Especially if you ever want to recieve emails from people using ESPs (IntelliContact, Vertical Response, Bronto), then don't use SpamCop.

(FYI: In the interest of full disclosure, I work for IntelliContact)

I would suggest staying away from it (1)

arivanov (12034) | more than 7 years ago | (#17471332)

Sorbs blacklists nearly all ISP relays which force their customers to send through them or do transparent SMTP proxying. On the positive side this means that you are not going to get those 1-2 per day annoying Spanish or Dutch lotto scams from orange/freeserve webmail. On the negative side this means that you are not going to get mails from small law abiding businesses like recruitment agencies and such. They also blacklist nearly all lesser webmails.

I tried it for 2 weeks around the time when SpamHaus future was in doubt in October and found it to have an unacceptable level of false positives.

I would suggest using all server level antispam possible - greylisting, autoblacklisting on spamtrap and top it up with SpamHaus. That leaves the annoying crap from l'Orange, but gives close to 0% false positives.

SORBS? (2, Insightful)

sigmoid_balance (777560) | more than 7 years ago | (#17471382)

Orange is not just an ISP. It's a multinational mobile telecom company. http://en.wikipedia.org/wiki/Orange_SA [wikipedia.org] . As far as I know, after they were bought by France Telecom, they moved many their servers to a unique class B adress space. Maybe that address you found is from the old ones, which is not used anymore for mail, so unblocking it doesn't interest them.

On the other hand, getting a blacklist like this, doesn't seem to solve your problem: getting less SPAM. Do you think spammers don't have enough money to get themselves out of blacklists? Do you think that every individual legit(not SPAM) business or server checks all, of the many, blacklists to see if he's on one of them? And if they do, how many will pay the fee to get themselves of that list?

sbl-xbl (4, Informative)

Halo1 (136547) | more than 7 years ago | (#17471496)

sbl contains the spamhauses, xbl trojaned boxes/open proxies etc (you can of course also only use one of them). See http://www.spamhaus.org/xbl/index.lasso [spamhaus.org]

Some other zones (0)

Anonymous Coward | more than 7 years ago | (#17471546)

I HATE sorbs! (1, Interesting)

therealking (223121) | more than 7 years ago | (#17471976)

I abosolutely HATE sorbs. We have roadrunner buisness class at work with a static IP. SORBS blocks our mail because according to thier "superior" knowledge our IP is dynamic. When I tried to get us delisted, I got an automated response that said basically This is an automated response, no human has read your request but we've denied your request to be delisted.

If I ever meet the guy who runs sorbs I believe I will punch him in the mouth.

sorbs is one the best blacklists out there (3, Informative)

cyberfoxz (207499) | more than 7 years ago | (#17471994)

I work at the abuse dept. of a large dutch ISP and we rely heavily on sorbs. When I started working there one of my collegues convinced us that there is no way you could be able to contact sorbs and I thought that to be true. We found out however that it is really not that hard to get in touch with them and if you follow their guidlines, you never have to pay for delisting. The paying part is mainly to scare of spammers delisting adresses they do not own. They use a smal set of totaly acceptable rules to delist adresses from their DUL list (if u use a mailserver on a dynamic adres, go get a static one. If you can't, you should be using your ISP's mailserver). Their rules:
1. Only the owner of the adress space may contact them, as listed in one of the five RIR databases (RIPE, ARIN etc). We always use abuse@isp.com, because this is a known adress in RIPE.
2. The IP adress must be known as static and have a PTR-record stating it is static (mail.domain.com is acceptable).
3. It must have a correct A-record.
4. The TTL in of the A-record must be 86400 sec.
If you contact them in the way they wish to be contacted (just read their website, it's not that hard), they will delist you in 24-48 hours. However, if you aren't the owner of the adress space or the simple rules are not followed, your request wil be ignored. Everyone who thinks they can't get through to sorbs just isn't reading their guidelines, it's that simple.

Re:sorbs is one the best blacklists out there (2)

TheLink (130905) | more than 7 years ago | (#17473324)

One of the best? Really? So what's their false positive and false negative rate?

So far in my experience RBLs have an unacceptably high false positive rate because of the way most of them work - they go by IP _ranges_.

My email provider doesn't block spam for me, they just give it a spam ranking. I then run my email through a bayes filter, if the ISP's ranking is high enough for my comfort or the bayes thingy thinks it's spam, then it's spam.

So far I've noticed only a few false positives (I scan very quickly through spam once in a long while - sorting by subjectline helps ;) ). And even so they weren't really false positives - they were either spamlike emails from friends/relatives (who I whitelist), or one of those chain emails.

I once was on the verge of blacklisting one of my relatives who kept sending junk.

Since you are an ISP, why don't you as an ISP regularly set up a bunch of decoy email accounts and start signing them up for spam? You know the usual methods. Even better if you can get few people to donate their longtime spamridden email address and they can get everyone else to no longer send emails to them. Then any email that hits multiple accounts is most likely to be junk.

I'm sure gmail does some statistical stuff to filter out spam. I'm sure they can figure out which email accounts are "related" and which aren't. If lots of unrelated/unlinked accounts start getting very similar email that aren't from whitelists (mailing lists etc), then it's almost certainly spam.

It's easier for an ISP or large email provider to do such things than an individual user.

Maybe a change of tactics is in order. (3, Informative)

kunwon1 (795332) | more than 7 years ago | (#17472296)

ORDB just shut its doors. From their closing announcement: (emphasis mine)

We regret to inform you that ORDB.org, at the ripe age of five and a half, is shutting down. It's been a case of a long goodbye as very little work has gone into maintaining ORDB for a while.

Our volunteer staff has been pre-occupied with other aspects of their lives. In addition, the general consensus within the team is that open relay RBLs are no longer the most effective way of preventing spam from entering your network as spammers have changed tactics in recent years, as have the anti-spam community.

We encourage system owners to remove ORDB checks from their mailers immediately and start investigating alternative methods of spam filtering. We recommend a combination involving greylisting and content-based analysis (such as the dspam project, bmf or Spam Assassin).

There are no worse than SORBS (0)

Anonymous Coward | more than 7 years ago | (#17472642)

There fussy, blacklist at will... my old hosting provider was trying to clear it's name with them, completely impossible despite the net-block being registered to them, then they mentioned lawyers and sorbs refused to do anything ever again if there were now lawyers involved...

So, yes SORBS is the worst.. it stops spam in the same kinda way that unpluging your modem stops spam.

SpamHaus (3, Interesting)

Wdomburg (141264) | more than 7 years ago | (#17472690)

SpamHaus is the only blacklist that I trust to do straight blocking on. We've been using them for years and have gotten a grand total of two complaints about blocked mail; in both cases the sender was on the XBL because their machine was compomised. Considering our active userbase is in the hundreds of thousands, I'd say that isn't bad at all. :)

We actively discourage people from using SORBS. Even if they were more accurate, their removal policy is extortion.

Any of the other blacklists out there I would recommend only as part of a scoring algorithm. Most are fairly cavalier about blocking entire netblocks even if the problem is isolated, most have no automatic aging of entries, many have poor delisting policies or are slow to respond and the false positive rates tend to vary from ok to abysmal (SpamCop, for example, doesn't seem to know the difference between a bounce message and a piece of spam... though to their credit they are fairly good about removals and provide a feedback loop so you at least know when they've tagged a message as spam).

Blacklists are so 2004 (4, Informative)

target562 (623649) | more than 7 years ago | (#17472714)

With the advent of the spam bot networks, blacklists aren't as useful for spam fighting as they used to be. Greylisting + content analysis is currently the way to go; though Spamhaus still does a decent job, but not Spamcop due to their "unsolicited bounces" thing...

Just say "no" (1)

LoadWB (592248) | more than 7 years ago | (#17473004)

I support the use of DNSRBLs (not by use alone, but it should augment a content-filtering system,) with the exception of SORBS. I have found it to be far too aggressive, more so than SPEWS. In fact, an ISP with which I partner wound up on SORBS, and during the removal process they discovered that a number of the recommended donation recipients will not accept the donations because of the myriad complaints over the process.

Ah, well.

No one takes them seriously (3, Interesting)

Spazmania (174582) | more than 7 years ago | (#17473068)

At this point, very few people take SORBS seriously. They're inaccurately over-aggressive. If you use it for more than your personal email, you're begging for a lot of user complaints.

My own fun story is that they went on to my web site and subscribed their spamtraps to my opt-in email list. I didn't double-confirm, so I guess its my fault that they scammed me. SORBS then used the emails emitted from that single IP address to justify blocking 8,192 of my ISP's email addresses.

Every other RBL maintainer has found my list to be clean. The only non-SORBS problem I've had with an RBL was with Spamcop. That was immediately resolved when the only folks who responded to further inquiry apologized for reporting the list mail by mistake.

URIBLs are great (1)

oldosadmin (759103) | more than 7 years ago | (#17473248)

I'd highly reccomend using some aggressive URIBL filtering -- that way, if someone gets blocked, you can be certain /they/ are the person you wanted to block.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>