SFDB Problem |
Post Reply 
|
| Author | |
kspare 
Senior Member 
Joined: 26 January 2005 Location: Canada Status: Offline Points: 334 |
 Post Options
 Thanks(0)
 Quote Reply
 Topic: SFDB ProblemPosted: 10 May 2006 at 10:25am |
|
Some how a customer of mine whom does not send spam, got on the SFDB. The local ISP's static ip address' are somehow making it onto the sorbs dynamic ip list, i'm not sure if this is what is causing them to make it into the sfdb but this is now the 2nd customer from the same isp to make it in. Neither send out spam, but both have made it into the db. It's kind of embarassing on our part.
thoughts? |
|
 |
|
|
Marco
Senior Member
Joined: 07 June 2005 Location: Netherlands Status: Offline Points: 137 |
Post Options
Thanks(0)
Quote Reply
Posted: 10 May 2006 at 10:31am |
|
How many SF users reported the static ip's in question? If more than a few of us are receiving mails from *those* IP's my only conclusion would be: they ARE spamming.... You sure they're not infected with some smtp worm? Did they send out mass mailings by chance? Edited by Marco |
|
|
Anyone who is capable of getting himself made president, should on no account be allowed to do the job. D.Adams
|
|
|
|
|
kspare
Senior Member
Joined: 26 January 2005 Location: Canada Status: Offline Points: 334 |
Post Options
Thanks(0)
Quote Reply
Posted: 10 May 2006 at 10:34am |
|
There aren't any virus', we graph their internet usage with mrtg to monitor for stuff like that. I've also got the firewall setup to only allow the exchange server to send out, their exchange servers are all running groupshield on them. Sorbs shows their ip as being on the dynamic list, when they are actually static ip's. |
|
|
|
|
Roman
Guest Group 
|
Post Options
Thanks(0)
Quote Reply
Posted: 10 May 2006 at 11:12am |
|
kspare, their main goal must be to be delisted from dul.dnsbl.sorbs.net (this must be done by request from their ISP). Otherwise their mail will always be considered as spam by all SORBS users (and therefore will always stay in SFDB).
|
|
|
|
|
kspare
Senior Member
Joined: 26 January 2005 Location: Canada Status: Offline Points: 334 |
Post Options
Thanks(0)
Quote Reply
Posted: 10 May 2006 at 11:14am |
|
The thing is, this just started popping up, so i'm not sure if sorbs changed how they are doing things I dunno. They never used to be on sorbs and they've had the static ip for almost 6 years! Maybe I will just have to bounce the mail from their exchange server off of me or off of the isp.... I won't be able to get the rDNS changed by the isp so that is out. My options are kinda limited. |
|
|
|
|
Roman
Guest Group
|
Post Options
Thanks(0)
Quote Reply
Posted: 10 May 2006 at 11:27am |
|
the easiest way for is to whitelist them.
and you may inform them about this problem so they can try to solve this problem with their ISP.
BTW, I have a static IP from my backup link (ethernet!) which is listed dul.dnsbl.sorbs.net (may be because that IP-range is shared by many small ISP clients), so I have to use that ISPs mail relay server to bypass the mail.
|
|
|
|
|
Desperado
Senior Member
Joined: 27 January 2005 Location: United States Status: Offline Points: 1143 |
Post Options
Thanks(0)
Quote Reply
Posted: 10 May 2006 at 11:46am |
|
FYI . I know this does not solve your issue BUT ... I have stopped using SORBS due to the high increase of "bad" entries and the extortion tactics they use now to get removed. It is so hard to get removed that most admins do not bother trying.
|
|
|
The Desperado
Dan Seligmann. Work: http://www.mags.net Personal: http://www.desperado.com |
|
|
|
|
kspare
Senior Member
Joined: 26 January 2005 Location: Canada Status: Offline Points: 334 |
Post Options
Thanks(0)
Quote Reply
Posted: 10 May 2006 at 11:59am |
|
Dan, thats probably the approach I am going to take. I've been seeing alot of ips that simply are not a threat on there and nothing seems to get them off.
|
|
|
|
|
Roman
Guest Group
|
Post Options
Thanks(0)
Quote Reply
Posted: 10 May 2006 at 12:00pm |
|
That's true. Their cummulative zone is very aggressive because it contains "ISPs that support spammers, including spammers web-hosting". So now I use discrete zones and so far so good.
|
|
|
|
|
Desperado
Senior Member
Joined: 27 January 2005 Location: United States Status: Offline Points: 1143 |
Post Options
Thanks(0)
Quote Reply
Posted: 10 May 2006 at 12:28pm |
|
Here's the problem though .... Any SpamFilterISP users that DO use SORBS will be adding their entries to the SFDB. So far this has not caused me a problem but it may in the future. So far, the SFDB has been super good for us except when we managed to get one of our own customers on the list. BUT ... they send out mass mailings and even though it is a real double opt in list, people still report it instead of unsubscribing. It was only a short term problem due to the way the SFDB expires and actually was kind of funny to us.
|
|
|
The Desperado
Dan Seligmann. Work: http://www.mags.net Personal: http://www.desperado.com |
|
|
|
|
Roman
Guest Group
|
Post Options
Thanks(0)
Quote Reply
Posted: 10 May 2006 at 12:41pm |
|
Well, this should be solved when there will be enough SFDB users to "average" aggressive(incorrect) reporters with cautious ones.
|
|
|
|
|
Roman
Guest Group
|
Post Options
Thanks(0)
Quote Reply
Posted: 10 May 2006 at 12:44pm |
|
BTW, I test discrete SORBS zones for several months now, and I have not seen any false positives yet (instead of 1-4 per week with the cumulative)
|
|
|
|
|
Desperado
Senior Member
Joined: 27 January 2005 Location: United States Status: Offline Points: 1143 |
Post Options
Thanks(0)
Quote Reply
Posted: 10 May 2006 at 1:14pm |
|
Roman,
Which zones do you use? |
|
|
The Desperado
Dan Seligmann. Work: http://www.mags.net Personal: http://www.desperado.com |
|
|
|
|
Roman
Newbie 
Joined: 04 November 2005 Location: Russian Federation Status: Offline Points: 32 |
Post Options
Thanks(0)
Quote Reply
Posted: 10 May 2006 at 9:19pm |
|
Dan, by my expirience you should defenetly keep out from spam.dnsbl.sorbs.net which acc. to http://www.us.sorbs.net/using.shtml "...contains netblocks of spam supporting service providers, including those who provide websites, DNS or drop boxes for a spammer..." and is included in aggr. dnsbl.sorbs.net. All others are seem to be OK (for me). Actually I test my new set of zones for about 2 months now and the current numbers for that period are:
Hits/zone 8178 sbl-xbl.spamhaus.org 5800 dul.dnsbl.sorbs.net 1045 bl.spamcop.net 96 web.dnsbl.sorbs.net 80 dnsbl.njabl.org 11 socks.dnsbl.sorbs.net 3 spam.dnsrbl.net 3 http.dnsbl.sorbs.net 0 rhsbl.sorbs.net 0 misc.dnsbl.sorbs.net 0 smtp.dnsbl.sorbs.net |
|
|
|
|
pcmatt
Senior Member
Joined: 15 February 2005 Location: United States Status: Offline Points: 116 |
Post Options
Thanks(0)
Quote Reply
Posted: 11 May 2006 at 10:24pm |
|
Roman is right on target. We've experienced the same results. Nobody should use the spam.dnsbl.sorbs.net or the dnsbl.sorbs.net aggragate list at this time because it is the sorbs admin's private aggressive block list. I don't think they ever remove an IP that gets on that list. It is not helpful at all to the SFDB feature if anyone of us is using this list. Roman's list of good sorbs lists matches our obvservations in the past few years. |
|
|
-Matt R
|
|
|
|
|
Roman
Newbie
Joined: 04 November 2005 Location: Russian Federation Status: Offline Points: 32 |
Post Options
Thanks(0)
Quote Reply
Posted: 12 May 2006 at 10:23am |
|
Actually I don't see the very big reason to query SFDB for foreign RBL, MX or PTR checks - you can do it locally, keep it under your own control and don't depend on inaccurate\aggressive SFDB submitters.
|
|
|
|
|
sgeorge
Senior Member
Joined: 23 August 2005 Status: Offline Points: 178 |
Post Options
Thanks(0)
Quote Reply
Posted: 17 May 2006 at 1:37pm |
|
Roman, thanks for your MAPS lists - I'm going to try it out for a little while and see if I have the same kind of success.
 But, did you really get 3 results from spam.dnsrbl.net? I've found them to be down for quite a while. In fact, I just checked DNS records for dnsrbl.net - there doesn't seem to be anything there... Stephen |
|
|
|
|
Roman
Guest Group
|
Post Options
Thanks(0)
Quote Reply
Posted: 17 May 2006 at 2:58pm |
|
Hmm, you are right, Stephen. I didn't keep an eye on them. The last hit was in March and there is no answer from their servers now.
|
|
|
|
|
sgeorge
Senior Member
Joined: 23 August 2005 Status: Offline Points: 178 |
Post Options
Thanks(0)
Quote Reply
Posted: 17 May 2006 at 3:08pm |
|
Yeah, what's interesting is that since you successfully connected to them in March, they must have died, come back, and died again. I first noticed that they were down in January, when I posted this:
http://www.logsat.com/spamfilter/forums/forum_posts.asp?TID= 5450&KW=sgeorge ...That may mean that they may come back in the future, perhaps(?) Mysterious bunch, those dnsrbl folks... Stephen |
|
|
|
|
Roman
Guest Group
|
Post Options
Thanks(0)
Quote Reply
Posted: 17 May 2006 at 4:01pm |
|
It looks like they've turned servers on for a short period of time :)
Good for me they didn't start returning positive answer for every query...
BTW, Stephen, I've read your topic, how is combined.njabl.org going?
|
|
|
|
|
sgeorge
Senior Member
Joined: 23 August 2005 Status: Offline Points: 178 |
Post Options
Thanks(0)
Quote Reply
Posted: 17 May 2006 at 4:48pm |
|
I'm actually not using it as "combined" anymore. At the time of that post I had just added some aggressive settings to my MAPS blacklist. I was unhappy with the number of false positives I was receiving - but I can't recall whether the falses where on account of njabl or another list. Afterwards, I "cheated" bit:
Stephen |
|
|
|
|
Desperado
Senior Member
Joined: 27 January 2005 Location: United States Status: Offline Points: 1143 |
Post Options
Thanks(0)
Quote Reply
Posted: 17 May 2006 at 5:20pm |
|
Roman, For what it's worth, I find the combined.njabl.org to be very good. AND, they report nicely which list caused the listing. I have had no known or at least chronic issues. |
|
|
The Desperado
Dan Seligmann. Work: http://www.mags.net Personal: http://www.desperado.com |
|
|
|
|
Roman
Guest Group
|
Post Options
Thanks(0)
Quote Reply
Posted: 17 May 2006 at 6:00pm |
|
OK, I've added dynablock.njabl.org to the end of my list and try to keep an eye on it.
Thank you Dan, Stephen.
|
|
|
|
Topic Options|
Post Reply
|
|
Tweet
|
| Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |
This page was generated in 0.146 seconds.