CastleCops, Internet Crime Fighters
Need help? Click here to register for free! Absolutely zero advertisements on this site!

Donation/Premium
spacer
Donations. Become Premium Today! Premium Icon
block bottom
Security Central
spacer
· Home
· PIRT/Fried Phish
· MIRT
· SIRT
· Deutsch
· Wiki
· Newsletter
· O16/ActiveX
· CLSID List
· Contest2007
· Downloads
· Feedback (send)
· Forums
· HijackThis
· Hijacktrend
· LSPs
· My Downloads
· O18
· O20
· O21
· O22
· O23
· O9
· Premium
· Private Messages
· Proxomitron
· Reviews
· Search
· StartupList
· Stories Archive
· Submit News
· WsIRT
· Your Account
· Acceptable Use Policy
block bottom
spacer spacer
image Commentaries: SORBS and bad Internet Providers out to destroy EMail. image
Email Hassles!
Snail writes "Hello.
My name is Greg, and I am the person whom originally started this contact with SORBS after they targeted my own SMTP server.

Below, I shall include actual emails and point out the frightening path this trend is taking.

Throughout the month of October I have been having trouble with my company and employee email bouncing back as SPAM.

What you have to understand is that I host my own SMTP (email) server, so that I can eliminate SPAM.

I was like many of the trusting sheep of years past, using the so called free for life email services offering the promises of security, spam removal and no viruses... HA, what a joke that all turned out to be.

Disgruntled with all the B.S., I thought, why can I not simply host email on my own? Guess what, I can... not only could I, I did. For over 3 years, I have run an exceptionally clean SMTP service.

Then it happened... I moved.

For personal reasons I wont get into in this letter, I moved to a quiet and somewhat remote location.

Sadly, the only internet provider available, is also considered one of the worst in the nation, and leaving that story out of it, I found myself with a dilemma.

The problem to which I refer is that of port blocking.
For those who do not know the meaning of port blocking; it is when a provider disables a communication service without permission in an effort to protect you. This is sort of like sewing a persons mouth shut so they don't eat any poison... forget the fact they still must eat.

Now, understanding me thus far, that I am a strong advocate for security and that I don't leave said security to the chance of inadequate email services, you will understand my anger when a security firm started marking my SMTP service as SPAM.

Any time I have internet issues, my first thought is that it is the cable company at work doing what they do best, causing chaos, and most of the time, I am correct in this assumption.

Further investigation of the emails not getting to their destination however, proved that while the cable provider I use is at the heart of the problem, the actual blockage was SORBS.

SORBS? What is this s.o.r.b.s.?
(Spam and Open-Relay Blocking System)
SORBS is a somewhat self appointed global security firm that deals specifically with email protection.

While spammers are on one end of the extremists who attack email services, SORBS is on the other end of the extremists who feel the only way to protect email services is to take them away.

The problem, is the extremist aspect. And that too many people blindly trust SORBS.

How does is work?
Well, lets say you run an SMTP server for handling email.
Lets say you are not savy about security (which if you are hosting a server should be) or you simply don't have time to keep up on all the worlds email threats... enter in SORBS.
Someone sends an email, your SMTP server scans it for infection, bad content, destination, origination (well, at least in theory as MOST of the worlds SMTP servers don't, especially those like Yahoo or Google, etc.).
Now, as an additional level of security, your SMTP server contacts SORBS and asks their service, is their any reason I shouldn't deliver this email? And based on their oh so trusted services, the SMTP server responds to either send the email or reject sending it.

Fortunately, the use of SORBS is an optional level of security and NOT a must for hosting SMTP.
Sadly, many people have been using SORBS for ages and some don't even recall they have it.

SORBS maintains a database of all sorts of email threats, and much like the worthless credit card information systems, will damn a person without question, often using wrong information, and make it nearly impossible to fix.

So, as I was stating, in October of 2004, I started seeing all sort of rejected emails, and tracked the problem to SORBS.

Many failed attempts to contact them resulted in only enraging me further and taking direct actions to resolve this matter.

I began investigating options, contacting other security groups being plagued with SORBS support issues, and as not only owner of my company but also the senior security consultant, I am forced to make a decision how to best and quickly handle the matter.

This I decided, would be to present the problem to the public, to various NEWS groups, and in short, help people to understand what was happening to their email.

On November 15, I was able to contact a SORBS support person and sent them all the information as well as condition of the problem.

On November 16, I was responded to as such:

=============================================================
From Oleg Ivanov:

Sorry, aparently your message was truncated (but I think I got the idea).

You shouldn't be running an outbound mail server on a dynamic IP address.

Since the above IP is dynamically assigned, we can not remove it from
DUHL and you should either obtain a static address, smarthost your mail
or route it via your ISP mail servers.

Your best option (especially if your IP is dynamically assigned) may be
to set your server to relay outbound mail via your provider's email
server (or any third party server you are allowed to use), using a
smarthost or gateway setting. Please consult your mailserver
documentation. You may also want to contact your provider for more
specific information on this alternative.
=============================================================

I responded to that letter on the 17th and included the original email again, responded to the message from SORBS, and added some more information. I then waited.

This is what I wrote:

=============================================================

I appreciate your response, but since you did not get the full message, I am sending this back and hope for a better action to the problem.

>>
More and more of late, I and many like myself (small business owners and J.Q
public) have been getting flooded with emails rejected as SPAM and returned because
of a 2 part problem.

The first part, are worthless lazy internet providers (not to be confused
with internet service providers, as these companies pass themselves off as ISPs
but do not provide the basic services that define the internet... cable
companies are often a good example) that attempt to block mail (and other)
services rather then properly address the issues of what it takes to be an
ISP, thus forcing users to seek alternative means to host services.

Instead of just port 25 being used for email, now, even more ports are in
use.

This ignore the problem approach doesn't help anyone and in fact only
makes related problems worse. For example, instead of spammers using only
port 25, they can try 25, 2525, 5025, etc.
For companies to portblock using this bad logic of security, means that they
will have to continue to block port after port until finally, they port
block their business out of existence.
For some of the worse providers, that may not be such a bad thing, but in
the end, it is the users who are getting abused, not only by spammers, but
by their provider as well.

This, I don't expect SORBS to resolve... however, it does pertain to the
second problem...

The second part, is thus...
because of these ignorant providers, many legitimate SMTP hosts (who in
their right mind would use a free email service when they can host their
own and have superior protection) have had to resort to using port mapping.

It is insulting enough that providers are trying to take away the most basic
functions of the internet such as hosting a webpage or having your own email
but then people start placing trust in a project like SORBS (a Big Brother
email server watchdog service that decide who is and is not safe to use
email)...

At first, it seemed like a good idea.
You find a spam server, report it, they put it on their blacklist and
anyone using their service will ignore all email coming from that spam
server; until...

SORBS began declaring dDNS and non port 25 redirects as spam.

More and more, emails are getting rejected due to SORBS declaring the mail
as unsafe when in fact is it perfectly legitimate.

It is not the fault of the host that bad providers are abusing them, and
that they must seek other methods to use the most basic of internet services

I pay for a top level domain name, and have to resort to a dDNS to route
email. I hate this, I hate the cable provider I have for doing this to me,
but its the only option where I live, making them a horrible monopoly...
none the less, I have merged the dDNS and my domain to have working email,
as are more and more people being forced to do.

If SORBS continues to block dDNS and routing services, because of the
actions of bad internet providers, hundreds if not thousands of legitimate,
provider abused SMTP hosts (and even the simple home based users, especially
on dial-up) will be put out of commission.

Further, that SORBS puts SMTP servers out of commission without so much as
a contact attempt... while at the same time make
people jump through hoops to fix a problem SORBS has caused, is unacceptable.

On Monday the 22nd of November, I will be involved in a news conference discussing
the problems and abuse being inflicted on small business by would be internet security
that is forced on people. The main focus will be on cable providers trying to do away with
HTTP and SMTP services without so much as asking or offering a choice in this effort
to protect.

I feel however, unless I can be convinced otherwise, that the actions of SORBS (and yes,
I do take this personal as SORBS has tagged my SMTP server as SPAM, when my
system has never sent spam nor allows it to pass) should be included in this problem
report to the press.

The whole notion of curing the disease by killing the patient has not been tolerated
in the past, and it will not be now. I sincerely hope SORBS intends to correct this problem.
If SORBS truly intends to help in the area of SMTP issues, they should first address
one of the biggest problems, the bad service providers that are inflaming the spam problem.
It is this forcing of people to use more then port 25 that is creating multiple battlefronts
and it is wrong to punish the victims because of it.
>>

Also, pertaining to this statement... choose your words wisely.

Since the above IP is dynamically assigned, we can not remove it from
DUHL and you should either obtain a static address, smarthost your mail
or route it via your ISP mail servers.

As SORBS is responsible for having created the blocking problem, they had better be able to correct it.
If SORBS is causing problems that can not be corrected, I assure you, it will be viewed as a serious internet threat.
Further, that you demand a static domain, is not rational.
Many dialup users have their own SMTP servers; many ISPs who offer cable, DSL, etc, do not even maintain static addresses;
the ghastly time involved in ANAME record updates makes dDNS use very fast and convenient, and more so then ever,
this is the way things are... should the ANAME servers ever be replaced by something not of the dark ages of the internet,
that condition may change, but for now, dDNS resolves a great number of internet related problems and until SORBS got involved, was working very well.

As for the notion of smarthosting or using the service provider...
First, it completely undermines the whole point of self hosting.
Second, given the scenario above, which is becoming too common, is not a viable option.


I await your responce.


=============================================================

On November 18th, I received this short, and very disturbing responce:

=============================================================
I still remember the times when an open relay was a courtesy to the
arpa.net users...

Well, these times are gone. As are the open relays.

Nowadays 95 percent of the spam is transmitted via trojaned (mostly
home) computers.

This is the reason sorbs believes that OUTBOUND mail relays should be
run from static IP addresses only.

And we make no exeptions from this policy - my own IP is listed too,
even the primary MX of Matthew Sullivan (the owner of sorbs.net) is
listed in DUHL:

=============================================================

What does this tell people?
SORBS email security intends to take away email services from anyone not paying for a top level domain.
They intend to eliminate all dDNS email services.
They intend to make useless portmapped services and in turn, escilate the problem of bad internet providers, thus helpping spammers.
They intend to eliminate all at home email services.
They already block their own members!
If they screw up, they will not apologies more so they will not correct the problem!!!

Further, I do not run my SMTP server in open relay format as suggested. Open Relay allows anyone to use the SMTP server. My SMTP is and always has been for my users only. Any attempt to from someone not listed in my SMTP user accounts gets rejected, as should all SMTP servers be set.

The fact that SORBS assumes I don't understand these things is yet another insult to me and embarassment to them.

As such, in my opinion, this makes SORBS one of the greatest threats to email services the world has ever seen.

Further, I will be reporting this information to my companies security division, and contacting as many other security groups as possible.


As of December 10, 2004
Over 140 security groups have been notified.
Go Daddy, a large domain provider has dropped SORBS.
Several smaller ISP's have dropped SORBS.
My pathetic cable provider, continues to use SORBS.

SORBS, has had nothing more to say.

I stongly urge people to protest SORBS action.
I feel they can provide a great service to the world at large, but not under these conditions.

Note: I originally wanted this in the Reviews, but couldn't get ahold of the news submitter Snail. Snail, please submit this in the Reviews section: here, it is better suited there. "
Posted on Monday, 20 December 2004 @ 19:21:31 UTC by Paul (5158 reads)
[ Trackback ]		image

"Commentaries: SORBS and bad Internet Providers out to destroy EMail." | Login/Create an Account | 10 comments | Search
Threshold
The comments are owned by the poster. We aren't responsible for their content.

No Comments Allowed for Anonymous, please register

Re: SORBS and bad Internet Providers out to destroy EMail. (Score: 1)
by stan_qaz  on Monday, 20 December 2004 @ 23:38:10 UTC
(User Info | Send a Message)
I really don't see this problem as SORBs, I see the problem being the clueless ISPs that block using it.

Mail on the SORBS list should be given more stringent anti-spam checking than mail not on the list but should not be rejected based on that listing alone.

Many other DNSBLs offer similar services and most of them recommend not blocking the mail based on the listing but rather using the listing as an indicator that the mail deserves closer checking before delivery.



Re: SORBS and bad Internet Providers out to destroy EMail. (Score: 1)
by Snail  on Wednesday, 22 December 2004 @ 16:55:54 UTC
(User Info | Send a Message)
[quote]
Note: I originally wanted this in the Reviews, but couldn't get ahold of the news submitter Snail. Snail, please submit this in the Reviews section: here, it is better suited there.
[/quote]

Hmmm, quite sorry, I never received a message (aside from the PM I am just noticing).
For future refferance, please feel free to move my posts wherever you best feel they are fit to post.

Quite honestly, I had thought it was just sent to the round file as it didn't post until now ;)

And, I have submitted as asked to the link provided.

As to Stans post:
[quote]
I really don't see this problem as SORBs, I see the problem being the clueless ISPs that block using it.
[/quote]

In part, I accept your statement, but not on the whole.
Many of these clueless ISPs as well as educated ones, are putting their entire faith of security in the hands of SORBs, and sorbs is handing them a load of tripe.

I would also like to add, Go Daddy has reversed it decision, and is now siding with SORBs decision to do away with SMTP services.

At this time, I will not be able to go into more details as several legal actions are being investigated.
What I can say, and will eventually elaborate on further, is that this decision by SORBs and those providers who follow, has resulted in small business dependent on email based clients being severely hurt.
As this falls under Post Office Protocal 3 and is considered mail tampering of paid services, Go Daddy is now facing a law suit.

With changing laws, and all involved, I do not know what to expect but do hope it sets an example that these 3rd party rogue security groups and bad providers will be held responcible for their actions.



Jan 24 2005 update (Score: 1)
by Snail  on Monday, 24 January 2005 @ 12:30:57 UTC
(User Info | Send a Message)
A brief update.
Those involved in the legal investigation into this sutuation have concluded, that even with all current changes to law, the intentional tampering of business email is still covered under the laws of mail tampering and is a federal offence.

What now remains to be decided, is how to deal with SORBS in this matter, as so far this is being directed mainly at Go Daddy, and if it is better to fight it out or bite the bullet.

The law is clearly on the side of those whose email are being blocked.
But the cost of fighting for that right may be higher then the cost of finding a new provider.
The issues to complicate matters are that Go Daddy not only hosts this small business email, but also their domain. Go Daddy has stated they will not transfer these, and, they have been paid up until 2007.

Changing providers now would mean losing the decade long established name and account. It also means changing office supplies, business cards, etc. as well as potentially losing the money that has been paid in advance.

On the other hand, a conviction of mail tampering carries with it a $250,000 fine and if taken to court, means it could destroy Go Daddy as each and every customer involved in what would become a class action suit would levy that fine against Go Daddy.
It would also set precedence toward any other email provider who refuses to not stop unwanted filtering of email.

So, there we have it, for the moment, all that is certain is that Go Daddy has broken the law.



A sad conclusion. (Score: 1)
by Snail  on Sunday, 30 January 2005 @ 20:47:53 UTC
(User Info | Send a Message)
Instead of the business site once posted at Go Daddy, this text has now replaced the calm images of herbs and wildlife.

Hello.

If you came here seeking (any potential online business) or any of its products, please read further.

For several months now, this small business has been battling with Go Daddy (the host here) over some very dirty business practices.

On Friday, February 28, 2005 the attorneys for (any potential online business) came to this conclusion:

1.Has Go Daddy betrayed the trust of its users.
YES

2. Has Go Daddy willingly and with intent, blocked crucial mail to (any potential online business) thereby damaging it financially?
YES

3. Has Go Daddy intentionally lied about its policy to unblock and desist in its mail tampering once contacted?
YES

4. Has Go Daddy in effect held the finances of (any potential online business) hostage?
YES

Go Daddy has been costing (any potential online business) business by the intentional blocking of e-mail.

They did this on their own, without first consulting us.
They were contacted on several occasions and even though were requested to stop, continued to do so.
(Any potential online business), is heavily dependent on its e-mail from people worldwide.

Because Go Daddy is (soon to be, was) host to our websites, DNS and e-mail, they have had (any potential online business) over a barrel so to speak.

The sad conclusion, attorneys for (any potential online business) while they find the behavior of Go Daddy to be downright loathsome, find no law that Go Daddy has broke under which any compensation can be had. As of the first of 2005, all uSA laws protecting e-mail as a Post Office Protocol were abolished.

Let this be a brutal lesson to all, unless you own your own e-mail server, anyone at any time can do what they want to your e-mail and unless they inflict up to $5,000 in hardware damages, can not be held responsible or charged in any way.

As such, (any potential online business) is now forced to change its name, address, e-mail and pay yet again for all those services.

Because this site was paid in advance, it will remain here like this until such time that it expires.
In accordance with our attorneys, this in no way violates the contract with Go Daddy;
it is not false, nor is it mis-represented, and is therefor legal to post.

You may continue to our new site located at: (yet to be determined with so many considerations)

In addition to what is required to make a new site are search engine promotion, finding another host that can't do the same, changing letterheads, business cards, etc.

For a government that claims to have pushed so hard in the last couple of years for SPAM regulation, they sure have proven they had no intent to protect people by having all laws on e-mail abolished.

Consideration is being given to buying a broadband line and setting up self hosted servers.
Sadly, it still leaves an ISP and Domain Provider in the process.




Re: SORBS and bad Internet Providers out to destroy EMail. (Score: 1)
by Snail  on Monday, 23 May 2005 @ 23:49:15 UTC
(User Info | Send a Message)
It is more important now then ever, to run your own SMTP server.



Microsoft has won a patent that could give the company control of certain essential features found in multiple email applications.

The company was granted US patent number 6,895,426 on Tuesday. The patent covers, treating electronic mail addresses as objects.

Among other uses of this patent, Microsoft claims the technologies lets email addresses be added to a contact list easily: it also covers situations in which a user copies an address to a clipboard or double-clicks to access contact information that is relevant to an email address.

Email addresses are treated as objects in the message preview pane and full message windows of both incoming and outgoing email messages. A small icon is added to the text of each address. In a preferred embodiment, the icons will vary depending on the pedigree of the address, the patent, which was filed on October 17, 2000 claims.



Re: SORBS and bad Internet Providers out to destroy EMail. (Score: 1)
by inetekk  on Thursday, 02 February 2006 @ 22:24:20 UTC
(User Info | Send a Message)
We have been running email services for 5,000 users for over 12 years with the same IP address for all of our servers. All outgoing email falls under three categories.
1. Verification double optin requests from forms being filled out. By the book, non commercial, verification email.
2. Verified outbound email whch carries the verification info in both header and footer of the email, (date time stamp, ip address at submission, ip address from email verification, etc.) with mechanizms to stop futrue email (Suppression).
3. Autoresponded messages replying to incoming email.

SORBS received one if these verification requests, to one of their spamtraps and blacklisted us over 6 months ago, When I contacted them, they said I was a spammer because our system sent an email to their secret spamtrap address. I asked them to look at the email in question. That I was sure it was eitther a bounce from our system to the return email address (That being their spamtrap) or a verification double optin request from someone using their spamtrap email address.

THeir reply was you are a spammer. All spammers lie. Therefore I was lieing. They would not even take the time to look at the email in question. THey said they had better things to do.

Plus, now they want money to be removed from their RBL. I do not want to change my IP address. I want a real solution to this issue.

Thomas Prendergast
CEO
Inetekk.com, Inc.

P.S. We have hired Habeus to audit our system. Does anyone know how effective they are?



Re: SORBS and bad Internet Providers out to destroy EMail. (Score: 1)
by inetekk  on Friday, 24 February 2006 @ 22:03:54 UTC
(User Info | Send a Message)
Update:

I fiinally was able to establish a credible dialog with the guys at SORBS. They explained that our mail servers need to filter out forged emails. They sent me copies of the problem mail. It was autoresponders sending back to spam traps in forged addresses.

They have been very helpful in directing us to achieve that goal. For this I am very pleased.

I paid the fine to my choice of charity and we are now out of the SORBS, RBL.

My opinion of SORBS has improved. Our achiles heel was the issue we needed in our incoming mail servers and we are now addressing that.

We have also hired Habeas to audit our mail system to tighten up our email.

Now, what about the big play AOL and others are pulling to charge to deliver email?

Thomas Prendergast
CEO
Inetekk.com, Inc.



Re: SORBS and bad Internet Providers out to destroy EMail. (Score: 1)
by SecurityConsultant  on Friday, 27 April 2007 @ 18:14:44 UTC
(User Info | Send a Message)
I have two words, Due Diligence.

A security consultant should not be ignorant of the security implications of running a small business on the cheap out of a home. There are better and cheaper alternatives and as a small business owner you should have contingency plans for dealing with failure.

The issue with SORBS is that you have to be an idiot to subscribe to all their RBLs. Yes, they run multiple RBLs. Dynamic RBL is comprised of IP addresses that ISPs submit to SORBS as sources email should not be coming from. That's a low risk list to subscribe to since the ISPs are making the call on which IP addresses to add or remove. The Vulnerability RBL is high risk and should not be subscribed too since it is port based and you can run just about any service on any port.

That's the issue I take with this article. Which SORBS RBL are you in? If it's the Dynamic RBL then your issue is with your ISP, not SORBS. My guess, the issue with your ISP is that they want Small Business owners to subscribe to a Business ISP package instead of the cheaper, less featured Residential ISP package. See first paragraph, SLA is an acronym a small business owner and security consultant should know.


 
Login
spacer
Nickname

Password

Security Code: Type Security Code: Usage signifies AUP acceptance
· New User? · Click here to create a registered account.
block bottom
Related Links
spacer
· del.icio.us!
· digg it!
· reddit!
· TrackBack (0)
· HotScripts
· Linux Manuals
· Google Search Engine
· W3 Consortium
· Spam Cop
· More about Email Hassles!
· News by Paul

Most read story about Email Hassles!:
SORBS and bad Internet Providers out to destroy EMail.
block bottom
Article Rating
spacer
Average Score: 5
Votes: 2


Please take a second and vote for this article:

Bad
Regular
Good
Very Good
Excellent
block bottom
Options
spacer

Printer Friendly Page  Printer Friendly Page
block bottom
2002-2008 © Computer Cops LLC dba CastleCops®. All rights reserved.
Acceptable Use Policy. Use signifies your agreement.
126ppm 0.232s (0.021s)
Making cybercriminals unhappy since 2002*
In Memory of Trpm
spacer spacer