Spam and Open Relay Blocking System
SORBS ("Spam and Open Relay Blocking System") is a list of e-mail servers suspected of sending or relaying spam (a DNS Blackhole List). It has been augmented with complementary lists that include various other classes of hosts, allowing for customized email rejection by its users.
History
The SORBS DNSbl project was created in November 2002. It was maintained as a private list until 6 January 2003 when the DNSbl was officially launched to the public. The list consisted of 78,000 proxy relays and rapidly grew to over 3,000,000 alleged compromised spam relays.[1]
In November 2009 SORBS was acquired by GFI Software, to enhance their mail filtering solutions.[2]
In July 2011 SORBS was re-sold to Proofpoint, Inc.[3]
DUHL
SORBS adds IP ranges that belong to dialup modem pools, dynamically allocated wireless, and DSL connections as well as DHCP LAN ranges by using reverse DNS PTR records, WHOIS records, and sometimes by submission from the ISPs themselves. This is called the DUHL or Dynamic User and Host List.[4] SORBS does not automatically rescan DUHL listed hosts for updated rDNS so to remove an IP address from the DUHL the user or ISP has to request a delisting or rescan. If other blocks are scanned in the region of listings and the scan includes listed netspace, SORBS automatically removes the netspace marked as static.
Matthew Sullivan of SORBS proposed in an Internet Draft that generic reverse DNS addresses include purposing tokens such as static or dynamic, abbreviations thereof, and more.[5] That naming scheme would have allowed end users to classify IP addresses without the need to rely on third party lists, such as the SORBS DUHL. The Internet Draft has since expired. Generally it is considered more appropriate for ISPs to simply block outgoing traffic to port 25 if they wish to prevent users from sending email directly, rather than specifying it in the reverse DNS record for the IP.[6]
SORBS' dynamic IP list originally came from Dynablock but has been developed independently since Dynablock stopped updating in December 2003.[7]
Note that there is no mechanism that allows a third party to check whether an IP address was dynamically assigned, so there is no way to verify whether a listed IP really belongs to a dynamically assigned range. It is not uncommon to find IPs listed as dynamic that are actually being statically assigned by the ISP. Also note that the DUHL list does not detect SPAM, or suspicious activity, so it would be advisable to never block mail just because an IP is listed there, but as part of a more complex and intelligent anti-spam check.[8][9][10][11][12][13][14]
Spam traps
IP addresses that send spam to SORBS spamtraps are added to their spam database automatically or manually. In order to prevent being blacklisted, major free email services such as Gmail, Yahoo, and Hotmail, as well as major ISPs now implement outgoing anti-spam countermeasures. Gmail, for example, continues to get listed and delisted [15][16] because they refuse abuse reports.[17] However, smaller networks may still be unwittingly blocked. Because spammers use viruses, malware, and rootkits to force compromised computers to send spam, SORBS lists the IP addresses of servers that the infected system uses to send its spam. Because of this, larger ISPs and corporate networks have started blocking port 25 in order to prevent these compromised computers from being able to send email except through designated email servers.[18]
Preemptive listings
SORBS maintains a list of networks and addresses that it believes are assigned dynamically to end users/machines, it refers to this list as the DUHL (Dynamic User/Host List).[19] The list includes wide networks of computers sharing the same IP address using network address translation which are also affected (If one computer behind the NAT is allowed to send spam, the whole network will be blacklisted if the NAT IP is ever blacklisted.) This is a common method of pre-emptive blocking as most legitimate mail servers are hosted in data centers designed and provisioned for such services, the legitimate mail servers that are affected by such listings are most commonly home hobbyists running their own mail servers. The Spamhaus Policy Block List (PBL) is another such pre-emptive list which does not just list dynamic hosts, but also blocks hosts it believes [20] should not be sending email directly to third-party servers. SORBS also operate another list which is similar to the Spamhaus PBL called the NoServers list, which is wholly maintained by the network administrators of the respective networks and is therefore theoretically False Positive free.
Escalated listings
SORBS has been accused of deliberately targeting innocent users through escalated listings. Its website describes the process as follows: "An escalated listing on the other hand is where a whole network of IP addresses is listed in SORBS and all hosts and IPs (whether assigned to a single customer or multiple) are listed and therefore blocked or result in spam folder issues. Why does SORBS create escalated listings? The simple answer is to stop spam. You ask, 'How does listing innocent IPs help stop spam?' Simple, some providers don’t care about spam."[21] There have been many heated discussions on this practice as often it would appear that email users who are caught in this trap have no recourse, because the listing applies to a block of IP addresses, and they are unable to release their own IP address.
False positives
Due to the automation of spamtraps SORBS regularly lists the addresses of legitimate mail servers. Therefore, SORBS should not be configured as a single blocking test in a spam filter, but in combination with other spam indicators.
Changes
Since the acquisition by Proofpoint, Inc. full-time support staff have been employed to answer delisting queries; however the first round of answers to support requests are answered automatically by robot systems.
Statistics
SORBS produces and publishes daily statistics about its list to the otherwise defunct usenet newsgroup news.admin.net-abuse.bulletins (NANAB). As of the Dec 13, 2017 statistics published show the following listing totals:
Unique IPs in Proxy entries: 613475 Unique IPs in Relay entries: 3035 Unique IPs in Spam entries: 43356915 Unique IPs in Hacked entries: 7293342 Unique IPs in DUHL entries: 386362629 Unique IPs in exDUHL entries: 903143 Unique IPs in Cable entries: 2558245 Unique IPs in Zombie entries: 1903877 Unique IPs in UnAllocated entries: 76667 Unique IPs in CoLo entries: 89329 Unique IPs in MailServer entries: 31 Unique IPs in Escalated entries: 2305 Unique IPs in Phishing entries: 111986 Unique IPs in Virus entries: 5466757 Unique IPs in BackScatter entries: 31 Unique IPs in Business entries: 4099699 Unique IPs in Static entries: 7897857 Unique IPs in NoServers entries: 45170512 Unique IPs in CoreNetwork entries: 38594 Unique IPs in Botnet entries: 380565 Total IPs listed in the database 506329110
See also
References
- "Introduction and a bit of history". SORBS. June 2004. Retrieved 27 June 2009.
- John Leyden (6 November 2009). "Controversial email blocklist SORBS sold". Retrieved 5 December 2009.
- "Proofpoint buys SORBS anti-spam assets". 16 August 2011.
- "SORBS Dyname User/Host List FAQ".
- Sullivan, Matthew (April 2006). "Suggested Generic DNS Naming Schemes for Large Networks and Unassigned hosts". IETF.
- "MAAWG Recommendation" (PDF). maawg.org.
- Matthew Sullivan (24 November 2003). "Notice SORBS DNSbl users, regarding the easynet blacklists being discontinued Dec 1 2003". Newsgroup: news.admin.net-abuse.email. Usenet: bpt171$ppj$1@bunyip.cc.uq.edu.au.
- http://www.sorbs.net/listing/aboutlistings.shtml
- http://www.sorbs.net/delisting/dul.shtml
- https://wordtothewise.com/2010/12/gfi-sorbs-considered-harmful-part-2/
- https://forums.whirlpool.net.au/archive/1549233
- https://forums.whirlpool.net.au/archive/1549195
- https://lists.debian.org/debian-isp/2006/07/msg00056.html
- https://forums.whirlpool.net.au/archive/441970
- https://support.google.com/mail/answer/26904?hl=en
- http://mxtoolbox.com/SuperTool.aspx?action=blacklist%3a209.85.215.50&run=toolpage
- https://productforums.google.com/forum/#!topic/gmail/Rr23mj9mtus
- "Port 25 (Sonic.net)". Archived from the original on 11 February 2005.
- "DUHL (Dynamic User/Host List) FAQ".
- "PBL Advisory".
- talkback.sorbs.net. talkback.sorbs.net (21 June 2010). Retrieved on 28 November 2011.