Print Page | Close Window

SFDB Problem

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=5607
Printed Date: 21 January 2025 at 7:11pm


Topic: SFDB Problem
Posted By: kspare
Subject: SFDB Problem
Date Posted: 10 May 2006 at 10:25am

Some how a customer of mine whom does not send spam, got on the SFDB.

The local ISP's static ip address' are somehow making it onto the sorbs dynamic ip list, i'm not sure if this is what is causing them to make it into the sfdb but this is now the 2nd customer from the same isp to make it in.

Neither send out spam, but both have made it into the db.

It's kind of embarassing on our part.

 

thoughts?




Replies:
Posted By: Marco
Date Posted: 10 May 2006 at 10:31am

How many SF users reported the static ip's in question?

If more than a few of us are receiving mails from *those* IP's my only conclusion would be: they ARE spamming....

You sure they're not infected with some smtp worm?

Did they send out mass mailings by chance?



-------------
Anyone who is capable of getting himself made president, should on no account be allowed to do the job. D.Adams


Posted By: kspare
Date Posted: 10 May 2006 at 10:34am

There aren't any virus', we graph their internet usage with mrtg to monitor for stuff like that.

I've also got the firewall setup to only allow the exchange server to send out, their exchange servers are all running groupshield on them.

Sorbs shows their ip as being on the dynamic list, when they are actually static ip's.



Posted By: Guests
Date Posted: 10 May 2006 at 11:12am
kspare, their main goal must be to be delisted from dul.dnsbl.sorbs.net (this must be done by request from their ISP). Otherwise their mail will always be considered as spam by all SORBS users (and therefore will always stay in SFDB).


Posted By: kspare
Date Posted: 10 May 2006 at 11:14am

The thing is, this just started popping up, so i'm not sure if sorbs changed how they are doing things I dunno. They never used to be on sorbs and they've had the static ip for almost 6 years!

Maybe I will just have to bounce the mail from their exchange server off of me or off of the isp....

I won't be able to get the rDNS changed by the isp so that is out. My options are kinda limited.



Posted By: Guests
Date Posted: 10 May 2006 at 11:27am
the easiest way for is to whitelist them.
 
and you may inform them about this problem so they can try to solve this problem with their ISP.
 
BTW, I have a static IP from my backup link (ethernet!) which is listed dul.dnsbl.sorbs.net (may be because that IP-range is shared by many small ISP clients), so I have to use that ISPs mail relay server to bypass the mail.


Posted By: Desperado
Date Posted: 10 May 2006 at 11:46am
FYI . I know this does not solve your issue BUT ... I have stopped using SORBS due to the high increase of "bad" entries and the extortion tactics they use now to get removed. It is so hard to get removed that most admins do not bother trying.

-------------
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com



Posted By: kspare
Date Posted: 10 May 2006 at 11:59am
Dan, thats probably the approach I am going to take. I've been seeing alot of ips that simply are not a threat on there and nothing seems to get them off.


Posted By: Guests
Date Posted: 10 May 2006 at 12:00pm
That's true. Their cummulative zone is very aggressive because it contains "ISPs that support spammers, including spammers web-hosting". So now I use discrete zones and so far so good.


Posted By: Desperado
Date Posted: 10 May 2006 at 12:28pm
Here's the problem though .... Any SpamFilterISP users that DO use SORBS will be adding their entries to the SFDB.  So far this has not caused me a problem but it may in the future.  So far, the SFDB has been super good for us except when we managed to get one of our own customers on the list.  BUT ... they send out mass mailings and even though it is a real double opt in list, people still report it instead of unsubscribing.  It was only a short term problem due to the way the SFDB expires and actually was kind of funny to us.

-------------
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com



Posted By: Guests
Date Posted: 10 May 2006 at 12:41pm
Well, this should be solved when there will be enough SFDB users to "average" aggressive(incorrect) reporters with cautious ones.


Posted By: Guests
Date Posted: 10 May 2006 at 12:44pm
BTW, I test discrete SORBS zones for several months now, and I have not seen any false positives yet (instead of 1-4 per week with the cumulative)


Posted By: Desperado
Date Posted: 10 May 2006 at 1:14pm
Roman,
Which zones do you use?

-------------
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com



Posted By: Roman
Date Posted: 10 May 2006 at 9:19pm
Dan, by my expirience you should defenetly keep out from spam.dnsbl.sorbs.net which acc. to http://www.us.sorbs.net/using.shtml "...contains netblocks of spam supporting service providers, including those who provide websites, DNS or drop boxes for a spammer..." and is included in aggr. dnsbl.sorbs.net. All others are seem to be OK (for me). Actually I test my new set of zones for about 2 months now and the current numbers for that period are:

Hits/zone
8178     sbl-xbl.spamhaus.org
5800     dul.dnsbl.sorbs.net
1045     bl.spamcop.net
96     web.dnsbl.sorbs.net
80     dnsbl.njabl.org
11     socks.dnsbl.sorbs.net
3     spam.dnsrbl.net
3     http.dnsbl.sorbs.net
0     rhsbl.sorbs.net
0     misc.dnsbl.sorbs.net
0     smtp.dnsbl.sorbs.net


Posted By: pcmatt
Date Posted: 11 May 2006 at 10:24pm

Roman is right on target. We've experienced the same results. 

Nobody should use the spam.dnsbl.sorbs.net or the dnsbl.sorbs.net aggragate list at this time because it is the sorbs admin's private aggressive block list. 

I don't think they ever remove an IP that gets on that list.  It is not helpful at all to the SFDB feature if anyone of us is using this list.  Roman's list of good sorbs lists matches our obvservations in the past few years.  



-------------
-Matt R


Posted By: Roman
Date Posted: 12 May 2006 at 10:23am
Actually I don't see the very big reason to query SFDB for foreign RBL, MX or PTR checks - you can do it locally, keep it under your own control and don't depend on inaccurate\aggressive SFDB submitters.


Posted By: sgeorge
Date Posted: 17 May 2006 at 1:37pm
Roman, thanks for your MAPS lists - I'm going to try it out for a little while and see if I have the same kind of success. 

But, did you really get 3 results from spam.dnsrbl.net?  I've found them to be down for quite a while.  In fact, I just checked DNS records for dnsrbl.net - there doesn't seem to be anything there...

Stephen


Posted By: Guests
Date Posted: 17 May 2006 at 2:58pm
Hmm, you are right, Stephen. I didn't keep an eye on them. The last hit was in March and there is no answer from their servers now.


Posted By: sgeorge
Date Posted: 17 May 2006 at 3:08pm
Yeah, what's interesting is that since you successfully connected to them in March, they must have died, come back, and died again.  I first noticed that they were down in January, when I posted this:

http://www.logsat.com/spamfilter/forums/forum_posts.asp?TID= 5450&KW=sgeorge

...That may mean that they may come back in the future, perhaps(?)
Mysterious bunch, those dnsrbl folks...

Stephen


Posted By: Guests
Date Posted: 17 May 2006 at 4:01pm
It looks like they've turned servers on for a short period of time :)
 
Good for me they didn't start returning positive answer for every query...
 
BTW, Stephen, I've read your topic, how is combined.njabl.org going?


Posted By: sgeorge
Date Posted: 17 May 2006 at 4:48pm
I'm actually not using it as "combined" anymore.  At the time of that post I had just added some aggressive settings to my MAPS blacklist.  I was unhappy with the number of false positives I was receiving - but I can't recall whether the falses where on account of njabl or another list.  Afterwards, I "cheated" bit:
  • I set my min MAPS matches from "1" to "2"
  • I intentionally used dnsbl.njabl.org and dynablock.njabl.org instead of combined.njabl.org
  • And I intentionally used sbl.spamhaus.org and xbl.spamhaus.org instead of sbl-xbl.spamhaus.org
  • and used a few other servers (bl.spamcop.net and dnsbl.sorbs.net)
  • ...My MAPS false positives ended up reducing greatly
I'm not proud of intentionally adding extra queries to these free services - that's why I'm going to give your settings a spin for myself and see if I'm satisifed with the number of false positives (or lack thereof, to be exact).

Stephen


Posted By: Desperado
Date Posted: 17 May 2006 at 5:20pm

Roman,

For what it's worth, I find the combined.njabl.org to be very good.  AND, they report nicely which list caused the listing.  I have had no known or at least chronic issues.



-------------
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com



Posted By: Guests
Date Posted: 17 May 2006 at 6:00pm
OK, I've added dynablock.njabl.org to the end of my list and try to keep an eye on it.
 
Thank you Dan, Stephen.



Print Page | Close Window