| Website | http://www.sorbs.net/ |
|---|---|
| Lookup URL | http://www.sorbs.net/lookup.shtml |
| Removal URL | http://www.sorbs.net/overview.shtml |
| FAQ URL | http://www.sorbs.net/faq |
| Contact | http://www.sorbs.net/cgi-bin/mail |
Description
S.O.R.B.S. (The Spam and Open Relay Blocking System) has started DNS based spam blocking services since 1992. SORBS is one of the largest and most well known DNS blocking lists now.
The SORBS blocking system has started from as a simple daemon that scanned emails and hosts and evolved to actively publishing IP blacklists of botnets, trojan infected computers, dynamic IP address space, well known spammer IP address ranges, hijacked and hacked servers, in addition to their honeypots and spamtraps.
S.O.R.B.S. project The SORBS Spam Firewall, which is not finished yet, will be a hardware based anti-spam appliance that acts as a proxy to your primary SMTP server.
SORBS is a community driven project. None in SORBS is paid. SORBS operation runs off of donations of either cash, hardware, software, or volunteer time. The SORBS blacklist is a constant target of spammers for distributed denial of service attacks. Under these circumstances, some network providers will generally step up and volunteer resources to aid in distributing some of the load of the attack.
SORBS has extremely comprehensive website which includes a number of tools to aid the server administrators when they want to use the SORBS services, or when their machines are listed in one of the SORBS blacklists. There could be found a real-time IP address checking tool, open relay testing tools, open proxy checking tools and generalized current information about zombie networks and new known vulnerabilities.
Listing criteria
The SORBS listing criteria is not easily defined due to the large amount of zones that SORBS maintains. There are some zones that everyone will find themselves listed on, such as the Dynamic IP zone containing large network blocks of IP addresses that are dynamically allocated. Other SORBS blacklists are similar to the major DNSBL providers offering similar services.
In addition some os SORBS blacklists are broken down into time based lists containing hosts sending spam within 24 hours, 48 hours, and 28 days. This gives the SMTP server administrators significant granularity in choosing exactly what they want to block, and what they may want to allow into their network.
Zones
SORBS maintains 17 distinct DNSBL zones.
dnsbl.sorbs.net
dnsbl.sorbs.net blacklist is SORBS primary zone, and contains all of the other SORBS zones. Due to the aggressive nature of some SORBS zones, it's not practical to use dnsbl.sorbs.net until you are completely familiar with each of the sub zones.
http.dnsbl.sorbs.net
The SORBS http.dnsbl.sorbs.net blacklist contains IP addresses
of HTTP proxy servers which allows anonymous access. Correctly configured proxy
servers allows access only to those who have been granted permission.
Some administrators have incorrectly configured their web servers and left
the proxy feature on open for anyone to use. This does not contribute to spam,
but is a sign that the server may have other problems, including
being unsecured in a way that is sending out unsolicited commercial bulk emails.
socks.dnsbl.sorbs.net
socks.dnsbl.sorbs.net blacklist contains IP addresses of SOCKS
proxy servers which allows anonymous access. In comparison to HTTP proxy servers
SOCKS servers can act as proxy fot any type of traffic including SMTP email
traffic.
Removal from the socks.dnsbl.sorbs.net blacklist requires securing your server
to not allow anonymous access to your SOCKS proxy.
misc.dnsbl.sorbs.net
The SORBS misc.dnsbl.sorbs.net blacklist zone contains all other proxies that could not be classified as an HTTP proxy or a SOCKS proxy and are opened to anonymous access.
smtp.dnsbl.sorbs.net
smtp.dnsbl.sorbs.net blacklist contains IP addresses of SMTP servers configured as open relay. A properly configured SMTP server allows only authenticated and trusted users to send email through it's system. In contrast open relay SMTP server doesn't require e-mail sender authentication nor other checks.
Any server that allows unauthenticated email to be sent through it's systems will be listed in the smtp.dnsbl.sorbs.net blacklist. This usually happens by someone reporting the server as an open relay, or by the SORBS scanners and systems noticing that the system allows the sending of email without authentication.
Removal from the list requires securing your server. If your server has been repeatedly listed, you may have to take additioanal steps, up to and including making a donation to a SORBS approved charity to be completely delisted.
web.dnsbl.sorbs.net
web.dnsbl.sorbs.net blacklist contains IP addresses of web
servers with insecure or exploited web form mailers which could be used
to send spam.
When an exploited machine is detected, it's listed in web.dnsbl.sorbs.net.
To be removed from the blacklist, track down the exploited form and scripts,
and secure the server. With the scripts secured, you can have your server
tested again by the SORBS system.
new.dnsbl.sorbs.net
The new.dnsbl.sorbs.net blacklist zone contains sources of spam that has been sent to actual SORBS administrators within the last 48 hours. Listing can also be triggered by spamtraps and honeypots. Continued spam coming from the same network will broadened the range of IP's that is listed until the entire network has been blocked.
Delisting from new.dnsbl.sorbs.net is one of the more controversial aspects of SORBS. At best, delisting will be reduced to the single IP address where spam was first detected. This will be done free of charge. Only when the entire netblock and original offending IP address has ceased all spamming operations, will that IP become a candidate for delisting. Once an IP has become a candidate, removal will happen upon a donation to a SORBS approved charity.
recent.dnsbl.sorbs.net
The recent.dnsbl.sorbs.net blacklist contains all data from
new.dnsbl.sorbs.net, and also includes hosts that have
been seen sending spam within the last 28 days.
Delisting conditions and rules for this blacklist are the same as
for new.spam.dnsbl.net blacklist.
old.dnsbl.sorbs.net
The SORBS old.dnsbl.sorbs.net blacklist contains all data of recent.dnsbl.sorbs.net and new.dnsbl.sorbs.net and in addition contains hosts that have been seen sending spam within the last year. The old.dnsbl.sorbs.net is the final step in which a host could potentially still make an effort to be delisted. With the threshold being one year, the chances are unlikely, and more likely that this host will remain permanently listed within SORBS.
spam.dnsbl.sorbs.net
spam.dnsbl.sorbs.net blacklist is the final step in the SORBS spam blacklists. The spam.dnsbl.sorbs.net contains all data from old.dnsbl.sorbs.net, which in turn contains all the data of recent.dnsbl.sorbs.net and new.dnsbl.sorbs.net.
It means that spam.dnsbl.sorbs.net blacklist contains only hosts
that have no intention of stopping spam.
These hosts will not be delisted from any SORBS blacklists
under any circumstances.
escalations.dnsbl.sorbs.net
escalations.dnsbl.sorbs.net blacklist contains netblocks of
IP addresses of IPS and hosting providers who are "more tolerant of spammers
than others".
This mean that in escalations.dnsbl.sorbs.net blacklist could
be found some of the large shared hosting providers listed, such as DreamHost,
RackSpace, BlueHost or GoDaddy. This often can mean that hundreds of thousands
of IP addresses will be listed within this escalations.dnsbl.sorbs.net.
This is controversial, because a single spammer is able to have every hosted client of GoDaddy, for example, completely blocked by SORBS. On the other hand, as long as the hosting facility is on top of spam reports, and terminates all spammer accounts, listing can be prevented. But this need an significant effort, cost, and resources of the hosting company.
block.dnsbl.sorbs.net
Someserver administrators do not like how SORBS operates, and ask that
their systems not be scanned at all by SORBS. SORBS respects this request,
and leaves their netblocks out of their scanning systems.
However, the IP that is not to be scanned, is placed into the
block.dnsbl.sorbs.net blacklist. This list can
then be used by others as a way of classifying hosts as not wanting
to be scanned. Interpretation of what that means is up to the administrator
that chooses to use the block.dnsbl.sorbs.net blacklist.
zombie.dnsbl.sorbs.net
A zombie machine is a computer or server that is no longer fully controlled by
it's original owner. These compromised systems usually have malicious software
installed. The infected machines could be a remotely controlled open relay
or a single node that is part of a multi thousand farm of botnets.
zombie.dnsbl.sorbs.net blacklist contains all known cases of machines
that have been compromised in some way.
Zombie machines are generally fixed quickly once the administrator is made aware of the problem. Such a type of machine could be exposing critical client information, banking details, and other sensitive or private data. Thias means that it's in the administrators best interest to disable the machine from the network until it's repaired and restoreed to a pre infected state.
dul.dnsbl.sorbs.net
dul.dnsbl.sorbs.net blacklist zone contains all known dynamic
IP address space.
Because no one should be allowed to run an email server within dynamic space,
it is often safe to list and block all email that comes from dynamic IP address space.
The majority of internet users receive internet access from an ISP and in most
cases, the users will obtain a dynamic IP address. A dynamic IP address could
change from time to time. It's not a good idea to run an email server on such
type od address.
All major ISP's disallow you from running an email server on a dynamic
IP address by the terms of service.
This blacklist list is ever evolving; growing and reallocating. If there is
an error in the listing, notifying SORBS to investigate will usually lead
to the range or address being removed.
rhsbl.dnsbl.sorbs.net
The rhsbl.dnsbl.sorbs.net blacklist is a full combination of all of SORBS right hand side blacklist zones.
DNS blacklists can be queried in a few different ways. Some are called
"Right Hand Side" lists, and others are called "Left Hand Side" lists.
The difference is simple, and depends on how you look at the data
returned in the query. If the result you are looking for is returned
on the right side of the answer, that is a right hand side list, conversely,
if the result is returned on the left side, that's a left hand side list.
Since most of SORBS blacklists return IP addresses, they will mostly
be right hand side blacklists. This means if you query their DNS servers
for something like ip.add.re.ss.rhsbl.dnsbl.sorbs.net you look to the right
of the returned "A" record for the answer.
The answer will generally be a positive response of an IP address, such as 127.0.0.1.
badconf.rhsbl.sorbs.net
The badconf.rhsbl.sorbs.net blacklist contains IP addresses or hosts which their A or MX records point back to invalid address space.
Not all IP addresses on the internet are valid. Some are obviously non-routable, like 127.0.0.1, which is a special reserved local address. There are additional IP addresses in which no computer will be connected as well. These are used for internal networks, private networks, and test networks. They are generally not accessible from public IP address space, and it makes no sense to receive email from a system that is advertising to be running from an IP address that is invalid.
nomail.rhsbl.sorbs.net
The nomail.shsbl.sorbs.net blacklist contains IP addresses of hosts which owner knows that no email will ever originate from that IP.
Not every server on the internet will need to send email. Some of them may
be designated exclusively for super computer research or educational purposes.
If a spammer ever spoofs an IP address that is within this range,
this blacklist would catch that spoofed attempt and block the email
from being sent.
Removal Process from SORBS
Due to the large number of SORBS zones is a IP removal policy is complicated and
hard to pinpoint.
Some lists are static and will never have any IP address removed (for example
the dynamic IP address blacklists). Others, such as the open relay blacklists,
will not have the IP removed until your the IP address has passed an open relay
check which indicates that the system has been secured.
However, in most all cases, if you fix the source of spam, your IP address can
be removed from the blacklists. SORBS provides complex tools to help you to
determine why you were blocked. You also have an access to mailing lists
and can contact administrators that are able to help you learn how to
better secure your SMTP server.