The Learning Center
Home  »  Blacklists  »  SORBS

The Spam and Open Relay Blocking System (SORBS)

Summary

Status:Active
Terms:Free and Paid Services
Zones:17
Website:www.sorbs.net
Removal:www.sorbs.net/overview.shtml
Lookup:www.sorbs.net/lookup.shtml
FAQ:www.sorbs.net/faq
Contact:www.sorbs.net/cgi-bin/mail

Background

S.O.R.B.S., also known as The Spam and Open Relay Blocking System (SORBS), has been providing DNS based spam blocking services since 1992. In it's infancy, it served as a small daemon that parsed through emails send via open relays and proxy's, which in turn would add those IP addresses to a DNS blacklist. These initial efforts were very much a learning process that has brought SORBS to where it is today; one of the largest and most well known DNS blocking lists there is. It wasn't until January 6, 2003, that these learning efforts were released to the public in the form of what is today known as SORBS.

The SORBS system has grown from a simple daemon that scanned emails and hosts to actively publishing IP address lists of botnets, trojan infected machines, dynamic IP space, known spammer IP address ranges, hijacked servers, hacked servers, in addition to honeypots and spamtraps. Also worth noting is the SORBS Spam Firewall, which when released, will be a hardware based anti-spam appliance that acts as a proxy to your primary SMTP server.

SORBS is a community driven project. None of those involved in SORBS are paid; the entire operation runs off of donations of either cash, hardware, software, or volunteer time. Due to the size of the SORBS project, they are a constant target of spammers for distributed denial of service attacks. When these events happen, they can put a serious burden on the SORBS system. In these situations, a larger network provider will generally step up and volunteer resources to aid in distributing some of the load of the attack.

The SORBS website is extremely comprehensive, including a number of tools to aid the server administrator in the event they want to use the SORBS service, or were by chance listed in one of the SORBS blacklists. You can find a real time IP address checking tool, in addition to open relay testing tools, open proxy checking tools, plus generalized current information about zombie networks and current known vulnerabilities.

Listing criteria

The SORBS listing criteria is not easily defined due to the large amount of zones that SORBS maintains. There are some zones that everyone will find themselves listed on, such as the Dynamic IP zone. This is a zone that contains large network blocks of IP addresses that are known to be allocated to dynamic IP address space. Because it is generally against the terms of service with an end users ISP to host an SMTP server on their residential line, it is safe to list those large ranges. Other SORBS blacklists are similar to the majority of DNSBL providers offering similar services.

For example, SORBS maintains a list of IP addresses that have sent spam to SORBS administrators. These are further broken down into time based lists, with those seen sending spam within 24 hours, 48 hours, and 28 days. Outside of normal style blocking lists, there are escalation lists, where repeat offenders can find themselves listed, distinct lists containing just zombied or compromised machines, even known servers that have misconfigurations. SORBS multitude of lists gives the SMTP server administrator significant granularity in choosing exactly what they want to block, and what they may want to allow into their network.

Zones

SORBS maintains 17 distinct DNSBL zones.

dnsbl.sorbs.net

This is SORBS primary zone, and contains all of the below zones. Due to the aggressive nature of some of the zones, it may not be wise to use dnsbl.sorbs.net until you are completely familiar with each of the sub zones contained within.

http.dnsbl.sorbs.net

A proxy server is a web server than a user can tunnel their connection through. When you make a request for a website, your request is sent directly to the remote website, and data is then returned to your browser. The addition of a proxy server means that you request all data from the proxy server, which in turn, requests it from the remote website. Ultimately, the proxy server returns the data to you.

Correctly configured proxy servers will only allow access to those who have been granted permission. Some administrators have incorrectly configured their web servers and left the proxy feature on; and worse, left it open for anyone to use. An open proxy server generally does not contribute to spam, but is a sign that the server may have other problems, including being unsecured in a way that is sending out unsolicited commercial bulk emails.

http.dnsbl.sorbs.net lists servers in which a proxy has been detected that allows anonymous access.

socks.dnsbl.sorbs.net

A SOCKS Proxy is very much like the aforementioned http proxy server with one small difference. In general, a proxy server is primarily used for proxying http traffic, whereas a SOCKS proxy can middleman any type of traffic it is configured for. These are the most dangerous kinds of open proxies as they can be used to anonymously and blindly proxy SMTP email traffic. Having an open SOCKS proxy will add your IP address to the socks.dnsbl.sorbs.net blacklist. Removal from the list requires securing your server to not allow anonymous access to your SOCKS proxy. It is perfectly fine and valid to run a SOCKS proxy; many organizations need to in order to work around highly secured or even misconfigured firewalls. While SOCKS proxies provide a valuable technological service, often is the case that security is overlooked.

misc.dnsbl.sorbs.net

The SORBS misc.dnsbl.sorbs.net zone contains all other proxies that could not be classified as an HTTP proxy or a SOCKS proxy.

smtp.dnsbl.sorbs.net

Anyone who runs an SMTP server has the potential for being listed in the smtp.dnsbl.sorbs.net blacklist. An SMTP server is nothing more than a server that is configured to send email. A properly configured server will only allow authenticated and trusted users to send email through it's system. Many years ago, before spam was ever a thought, all servers were configured as open relays, in a way that it was left as a public service for anyone to use. If you needed to send an email, there were lists of free and open SMTP servers where the administrators were kind enough to allow anonymous use.

With the advent of spam, open SMTP servers are no longer allowed. Any server that allows unauthenticated email to be sent through it's systems will be listed in the smtp.dnsbl.sorbs.net blacklist. This usually happens by someone reporting the server as an open relay, or by the SORBS scanners and systems noticing that the system allows the sending of email without authentication.

Removal from the list requires securing your server. Every SMTP server can be secured, looking at the documentation should provide you with ample instructions on how to close off the ability to send anonymous email. However, just securing your server may not be enough to have your IP address removed from smtp.dnsbl.sorbs.net. If your server has been repeatedly listed, you may have to take additioanal steps, up to and including making a donation to a SORBS approved charity to be completely delisted.

web.dnsbl.sorbs.net

Not all servers online have fully configured SMTP gateways. Some are simple http servers that are designed to serve web sites and databases. Within most of these websites, a user may have the need to connect an html form to an email sending script. For this to happen, the local mailer on the server is used. This mailer generally only accepts connections from itself, making it secure, and unavailable to becoming an open relay.

In order for the web server to be useful, it has to allow scripts to send the form data entered by users. Some of these form scripts are old, and written when web security was not much of a concern. Highly popular form to email scripts have been installed on most all web servers; not all are secure. Nefarious users have learned how to locate these scripts, and secretly pass data to them, using them as a form of gateway to interface with the local mailer on the web server. In some cases, the administrator of the server is not even aware of the exploited script, as it was installed on a pay by the month shared hosting account.

When an exploited machine is detected, it will be listed in web.dnsbl.sorbs.net. To be removed from the listing, track down the exploited form to email scripts, and have them secured. With the scripts secured, you can have your server tested again by the SORBS system.

new.dnsbl.sorbs.net

The new.dnsbl.sorbs.net blacklist zone contains spam that has been sent to actual SORBS administrators within the last 48 hours. Listing can also be triggered by spamtraps and honeypots. Continued spam coming from the same network will broadened the range of IP's that is listed until the entire network has been blocked.

Delisting from new.dnsbl.sorbs.net is one of the more controversial aspects of SORBS. At best, delisting will be reduced to the single IP address where spam was first detected. This will be done free of charge. Only when the entire netblock and original offending IP address has ceased all spamming operations, will that IP become a candidate for delisting. Once an IP has become a candidate, removal will happen upon a donation to a SORBS approved charity.

recent.dnsbl.sorbs.net

This blacklist is identical to new.dnsbl.sorbs.net, and also includes in it's entirety, all the data in new.spam.sorns.net. However, it also expands the list to include hosts that have been seen sending spam within the last 28 days. The same conditions and rules apply to this blacklist as do those of new.spam.dnsbl.net.

old.dnsbl.sorbs.net

Much like recent.dnsbl.sorbs.net, hosts listed in old.dnsbl.sorbs.net have been seen sending spam within the last year. This blacklist contains all data that is active in recent.dnsbl.sorbs.net and new.dnsbl.sorbs.net. old.dnsbl.sorbs.net is the final step in which a host could potentially still make an effort to be delisted. With the threshold being one year, the chances are unlikely, and more likely that this host will remain permanently listed within SORBS.

spam.dnsbl.sorbs.net

spam.dnsbl.sorbs.net is the final step in the spam blacklists. spam.dnsbl.sorbs.net contains all data from old.dnsbl.sorbs.net, which in turn contains all the data in recent.dnsbl.sorbs.net and new.dnsbl.sorbs.net. These are generally offenders that have no intention of stopping spam, and will continue to be a burden on the inboxes of email users the world over. These hosts have further not made any effort to ask for delisting of any kind from SORBS.

escalations.dnsbl.sorbs.net

Most people can not afford to start their own Internet Service Provider, so they lease space at a larger facility. Some of these facilities ore more tolerant of spammers than others. While they are your servers and data, and you are free to do with them as you please, your data is moving across someone else's network. escalations.dnsbl.sorbs.net contains entire netblocks of ISP's that are tolerant of spammers.

This means that escalations.dnsbl.sorbs.net could potentially have some of the large shared hosting providers listed, such as DreamHost, RackSpace, BlueHost, and GoDaddy. These so called "spam supporters" are added to the list after a "three strikes and you are out" type of policy. After the third spam is seen coming from one of these large ISP's, their entire range of IP addresses will be added to escalations.dnsbl.sorbs.net. This often can mean that hundreds of thousands of IP addresses will be contained within this blacklist.

This is another area in which SORBS is controversial. A single rogue spammer has the power and potential to have every hosted client of GoDaddy, for example, completely blocked by SORBS. On the other hand, as long as the hosting facility is on top of spam reports, and terminates all spammer accounts, listing can be prevented. This does come at significant effort, cost, and resources to the hosting company.

block.dnsbl.sorbs.net

As mentioned, SORBS is a somewhat controversial DNSBL. Even without the controversial pay to be delisted aspects, DNSBLS are often times a hard concept for an end user to grasp. Users demand to be delisted, and demand that SORBS stop blocking their emails. What they are failing to understand, is that they are complaining to the wrong entity. No DNSBL actually blocks any email, they just procure and maintain lists of IP addresses, and sometimes lists of URL's. Worse, are the cases where the end user making the complaints actually did send spam, but refuses to acknowledge that their actions were in fact the sending of unsolicited commercial or bulk email.

Some administrators do not like how SORBS operates, and ask that their systems not be scanned at all by SORBS. SORBS respects this request, and leaves their netblocks out of their scanning systems. However, the IP that is not to be scanned, is placed into the block.dnsbl.sorbs.net blacklist. This list can then be used by others as a way of classifying hosts as not wanting to be scanned. Interpretation of what that means is up to the administrator that chooses to use the block.dnsbl.sorbs.net blacklist.

zombie.dnsbl.sorbs.net

A zombie machine is a computer or server that is no longer full controlled by it's original owner. It may appear on the surface to be operational, and even secure, however, underneath that facade is a compromised system of malicious software. The infected machine could be as simple as a remotely controlled open relay, to as sophisticated as a single node that is part of a multi thousand farm of botnets. zombie.dnsbl.sorbs.net contains all known cases of machines that have been compromised in some way.

Zombie machines are generally fixed quickly once the administrator i made aware of the problem. A zombie machine could be exposing critical client information, banking details, and other sensitive and private data. It is always in the administrators best interest to either disable this machine from the network until it can be repaired, or immediately figure out how to secure it and restore it to a pre infected state.

dul.dnsbl.sorbs.net

The large majority of internet users receive internet access from an ISP. This connection is made through a cable modem, DSL line, or fiber optic line. In most cases, the users access will be connected through a dynamic IP address. A dynamic IP address is one that changes from time to time. Some ISP's allow the user to hold onto their dynamic IP address for months at a time, while others expire the lease time on the address in a few hours.

If your IP address is at risk of changing, it is not be a good idea to run an email server on it. A changing IP address would be difficult for another email server to locate. Mail sent to one particular IP address, could end up at an entirely different physical destination if the IP address were to change. While there are workaround for this through custom DNS services, you will find that the terms of service of all major ISP's disallow you from running an email server on a dynamic IP address. If you desire to run an email server on a residential line, you can make arrangements with your ISP to provide you with a static IP address. This is usually within the terms of service of that new contract.

Because no one is allowed to run an email server within dynamic space, it is often safe to list and block all email that comes from dynamic IP address space. dul.dnsbl.sorbs.net is a list of known dynamic IP address space. This list is ever evolving; growing, shrinking, and reallocating. While false positives are generally low, there can be error in the listing within the dynamic blacklist. In these cases, notifying SORBS to investigate will usually lead to the range or address being removed. If you are not running a mail server on your IP address, being listed in dul.dnsbl.sorbs.net is not indicative of any issues.

rhsbl.dnsbl.sorbs.net

DNS blacklists can be queried in a few different ways. Some are called "Right Hand Side" lists, and others are called "Left Hand Side" lists. The difference is simple, and revolves around how you look at the data returned in the query. If the result you are looking for is returned on the right side of the answer, that is a right hand side list; conversely, if the result is returned on the left side, that is a left hand side list.

Since most of SORBS blacklists return IP addresses, they will mostly be right hand side blacklists. This means you would query their DNS servers for something like ip.add.re.ss.rhsbl.dnsbl.sorbs.net and look for the answer to the right of the returned "A" record. This will generally be a positive response of an IP address, such as 127.0.0.1. rhsbl.dnsbl.sorbs.net is a full combination of all of SORBS right hand side zones. If you want to use all of SORBS IP based lists, this is the query source you would use.

badconf.rhsbl.sorbs.net

Not all IP addresses on the internet are valid. Some are obviously non-routable, like 127.0.0.1, which is a special reserved local address. There are additional IP addresses in which no computer will be connected as well. These are used for internal networks, private networks, and test networks. They are generally not accessible from public IP address space, and serve no purpose from the perspective of an email server.

It makes no sense to receive email from a system that is advertising to be running from an IP address that is invalid. Systems which have been seen sending email in which their A or MX records point back to invalid address space are listed in badconf.rhsbl.sorbs.net.

nomail.rhsbl.sorbs.net

Not every server on the internet will need to send email. Some servers may be designated exclusively for super computer research. Or perhaps an entire range of IP addresses has been allocated for educational purposes of grid computing to solve complex math problems. If an IP address space owner knows that no email will ever originate from that network, they can ask to be listed in the nomail.rhsbl.sorbs.net blacklist.

If a spammer ever spoofs an IP address that is within this range, this blacklist would catch that spoofed attempt and block the email from being sent. If you are aware of large ranges of IP addresses in which no email will ever legitimately be sent from, you can notify SORBS and have that range listed in their nomail.shsbl.sorbs.net blacklist.

Removal Process

Due to the large number of zones that SORBS hosts, a single IP removal policy is hard to pinpoint. Some lists are static and aside from administrator error, will never have the IP addresses removed. An example of this would be the dynamic IP address blacklists. Others, such as the open relay blacklists, will not have the IP removed until your IP has passed an open relay check, and your system has been secured. However, in most all cases, if you fix whatever it was that was generating spam, your IP address can be removed from the blacklist. SORBS provides comprehensive tools to aid you in determining why you were blocked, as well as access to mailing lists and administrators that are willing to help you learn how to better secure your SMTP server.

Related Articles