Spam and Open Relay Blocking System
Encyclopedia
SORBS is a list of e-mail servers suspected of sending or relaying spam (a DNS blacklist
). It has been augmented with complementary lists that include various other classes of hosts, allowing for customized email rejection by its users.
In November 2009 SORBS was acquired by GFI Software
, in an attempt to enhance their mail filtering solutions.
In July 2011 SORBS was re-sold to Proofpoint, Inc.
PTR records, WHOIS
records, and sometimes by submission from the ISPs themselves. This is called the DUHL or Dynamic User and Host List. SORBS does not automatically rescan DUHL listed hosts for updated rDNS so to remove an IP address from the DUHL the user or ISP has to request a delisting or rescan. If other blocks are scanned in the region of listings and the scan includes listed netspace, SORBS automatically removes the netspace marked as static.
Matthew Sullivan of SORBS proposed in an Internet Draft
that generic reverse DNS addresses include purposing tokens such as static or dynamic, abbreviations thereof, and more. That naming scheme would have allowed end users to classify IP addresses without the need to rely on third party lists, such as the SORBS DUHL. The Internet Draft has since expired. Generally it is considered more appropriate for ISPs to simply block outgoing traffic to port 25 if they wish to prevent users from sending email directly, rather than specifying it in the reverse DNS record for the IP.
SORBS' dynamic IP list originally came from Dynablock
but has been developed independently since Dynablock stopped updating in December 2003.
to SORBS spamtrap
s are added to their spam database automatically or manually. In order to prevent being blacklisted, major free email services such as Gmail
, Yahoo, and Hotmail
, as well as major ISPs
now implement strong outgoing anti-spam countermeasures. However, smaller networks may still unwittingly be blocked. Because spammers use viruses, malware
, and rootkit
s to force compromised computers to send spam, SORBS lists the IP addresses of servers that the infected system uses to send its spam. Because of this, larger ISPs and corporate networks have started blocking port 25 in order to prevent these compromised computers from being able to send email except through designated email servers.
maintains a list of networks and addresses that it believes are assigned dynamically to end users/machines, it refers to this list as the DUHL (Dynamic User/Host List) which includes wide networks of computers sharing the same IP address using network address translation
which are also affected (If one computer behind the NAT is allowed to send spam, the whole network will be blacklisted if the NAT IP is ever blacklisted.) This is a common method of pre-emptive blocking as most legitimate mail servers are hosted in data centers designed and provisioned for such services, the legitimate mail servers that are affected by such listings are most commonly home hobbyists running their own mail servers.
.
full time support staff have been employed to answer delisting queries, however the first round of answers to support requests are answered automatically by robot systems. Users rejected by the robots may respond to support tickets to speak with a human being, but as it is documented in the auto-response by the robot, and not on the SORBS
website many have reported that it is impossible to get a human response to their issue(s).
DNSBL
A DNSBL is a list of IP addresses published through the Internet Domain Name Service either as a zone file that can be used by DNS server software, or as a live DNS zone that can be queried in real-time...
). It has been augmented with complementary lists that include various other classes of hosts, allowing for customized email rejection by its users.
History
The SORBS DNSbl project was created November 2002. It was maintained as a private list until 6 January 2003 when DNSbl was officially launched to the public. The list consisted of 78,000 proxy relays and has grown to over 3,000,000 alleged compromised spam relays.In November 2009 SORBS was acquired by GFI Software
GFI Software
GFI Software is a developer of Web & Mail security, Networking & Security and Archiving & Fax computer software founded in 1992. Its products include software for filtering spam and viruses from e-mail as well as for monitoring and scanning networks for security purposes.- Products :GFI Software...
, in an attempt to enhance their mail filtering solutions.
In July 2011 SORBS was re-sold to Proofpoint, Inc.
Proofpoint, Inc.
Proofpoint, Inc. is based in Sunnyvale, California and provides SaaS and on-premises solutions for inbound email security, outbound data loss prevention, privacy protection, email encryption, electronic discovery and email archiving.-Founding:...
DUHL
SORBS adds IP ranges that belong to dialup modem pools, dynamically allocated wireless, and DSL connections as well as DHCP LAN ranges by using reverse DNSReverse DNS lookup
In computer networking, reverse DNS lookup or reverse DNS resolution is the determination of a domain name that is associated with a given IP address using the Domain Name System of the Internet....
PTR records, WHOIS
WHOIS
WHOIS is a query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system, but is also used for a wider range of other information. The protocol stores...
records, and sometimes by submission from the ISPs themselves. This is called the DUHL or Dynamic User and Host List. SORBS does not automatically rescan DUHL listed hosts for updated rDNS so to remove an IP address from the DUHL the user or ISP has to request a delisting or rescan. If other blocks are scanned in the region of listings and the scan includes listed netspace, SORBS automatically removes the netspace marked as static.
Matthew Sullivan of SORBS proposed in an Internet Draft
Internet Draft
Internet Drafts is a series of working documents published by the IETF. Typically, they are drafts for RFCs, but may be other works in progress not intended for publication as RFCs. It is considered inappropriate to rely on Internet Drafts for reference purposes...
that generic reverse DNS addresses include purposing tokens such as static or dynamic, abbreviations thereof, and more. That naming scheme would have allowed end users to classify IP addresses without the need to rely on third party lists, such as the SORBS DUHL. The Internet Draft has since expired. Generally it is considered more appropriate for ISPs to simply block outgoing traffic to port 25 if they wish to prevent users from sending email directly, rather than specifying it in the reverse DNS record for the IP.
SORBS' dynamic IP list originally came from Dynablock
Dynablock
Dynablock is a name which was used by Easynet from 2001 to 2003 for their Dialup Users List DNSBL of Internet addresses that appeared to be assigned dynamically, i.e. to dialup and residential broadband users....
but has been developed independently since Dynablock stopped updating in December 2003.
Spam traps
IP addresses that send spamE-mail spam
Email spam, also known as junk email or unsolicited bulk email , is a subset of spam that involves nearly identical messages sent to numerous recipients by email. Definitions of spam usually include the aspects that email is unsolicited and sent in bulk. One subset of UBE is UCE...
to SORBS spamtrap
Spamtrap
A spamtrap is a honeypot used to collect spam.Spamtraps are usually e-mail addresses that are created not for communication, but rather to lure spam...
s are added to their spam database automatically or manually. In order to prevent being blacklisted, major free email services such as Gmail
Gmail
Gmail is a free, advertising-supported email service provided by Google. Users may access Gmail as secure webmail, as well via POP3 or IMAP protocols. Gmail was launched as an invitation-only beta release on April 1, 2004 and it became available to the general public on February 7, 2007, though...
, Yahoo, and Hotmail
Hotmail
Windows Live Hotmail, formerly known as MSN Hotmail and commonly referred to simply as Hotmail, is a free web-based email service operated by Microsoft as part of its Windows Live group. It was founded by Sabeer Bhatia and Jack Smith and launched in July 1996 as "HoTMaiL". It was one of the first...
, as well as major ISPs
Internet service provider
An Internet service provider is a company that provides access to the Internet. Access ISPs directly connect customers to the Internet using copper wires, wireless or fiber-optic connections. Hosting ISPs lease server space for smaller businesses and host other people servers...
now implement strong outgoing anti-spam countermeasures. However, smaller networks may still unwittingly be blocked. Because spammers use viruses, malware
Malware
Malware, short for malicious software, consists of programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior...
, and rootkit
Rootkit
A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications...
s to force compromised computers to send spam, SORBS lists the IP addresses of servers that the infected system uses to send its spam. Because of this, larger ISPs and corporate networks have started blocking port 25 in order to prevent these compromised computers from being able to send email except through designated email servers.
Preemptive listings
SORBSSorbs
Sorbs are a Western Slavic people of Central Europe living predominantly in Lusatia, a region on the territory of Germany and Poland. In Germany they live in the states of Brandenburg and Saxony. They speak the Sorbian languages - closely related to Polish and Czech - officially recognized and...
maintains a list of networks and addresses that it believes are assigned dynamically to end users/machines, it refers to this list as the DUHL (Dynamic User/Host List) which includes wide networks of computers sharing the same IP address using network address translation
Network address translation
In computer networking, network address translation is the process of modifying IP address information in IP packet headers while in transit across a traffic routing device....
which are also affected (If one computer behind the NAT is allowed to send spam, the whole network will be blacklisted if the NAT IP is ever blacklisted.) This is a common method of pre-emptive blocking as most legitimate mail servers are hosted in data centers designed and provisioned for such services, the legitimate mail servers that are affected by such listings are most commonly home hobbyists running their own mail servers.
Escalated listings
SORBS has been accused of deliberately targeting innocent users through escalated listings. Its website describes the process as follows: "An escalated listing on the other hand is where a whole network of IP addresses is listed in SORBS and all hosts and IPs (whether assigned to a single customer or multiple) are listed and therefore blocked or result in spam folder issues. Why does SORBS create escalated listings? The simple answer is to stop spam. You ask, 'How does listing innocent IPs help stop spam?' Simple, some providers don’t care about spam." There have been many heated discussions on this practice as often it would appear Email users caught in this trap have no resource, because the listing applies to a block of IP addresses, and they are unable to release their own IP address. For these reasons, many believe that blacklists should be used cautiously and if false positives are a concern, should only be included as one component in wider anti-spam measures, such as SpamAssassinSpamAssassin
SpamAssassin is a computer program released under the Apache License 2.0 used for e-mail spam filtering based on content-matching rules. It is now part of the Apache Foundation....
.
Changes
Since the acquisition by Proofpoint, Inc.Proofpoint, Inc.
Proofpoint, Inc. is based in Sunnyvale, California and provides SaaS and on-premises solutions for inbound email security, outbound data loss prevention, privacy protection, email encryption, electronic discovery and email archiving.-Founding:...
full time support staff have been employed to answer delisting queries, however the first round of answers to support requests are answered automatically by robot systems. Users rejected by the robots may respond to support tickets to speak with a human being, but as it is documented in the auto-response by the robot, and not on the SORBS
Sorbs
Sorbs are a Western Slavic people of Central Europe living predominantly in Lusatia, a region on the territory of Germany and Poland. In Germany they live in the states of Brandenburg and Saxony. They speak the Sorbian languages - closely related to Polish and Czech - officially recognized and...
website many have reported that it is impossible to get a human response to their issue(s).