Ted Mittelstaedt tedm at
Sat Feb 12 11:18:24 GMT 2005

> -----Original Message-----
> From: owner-freebsd-questions at
> [mailto:owner-freebsd-questions at]On Behalf Of
> cpghost at
> Sent: Friday, February 11, 2005 8:23 PM
> To: freebsd-questions at
> Subject: in SORBS, AGAIN!
> Hello,
> for some reason, is being repeatedly added to,
> and some days later removed from the SORBS dnsbl. They keep
> adding it, and then removing it with a reason: Listed in error.
> Right now, it's listed again.
> >From their DB page
> Database of servers sending to spamtrap addresses
> Address:
> Record Created:	Mon Jan 31 10:14:47 2005 GMT
> Record Updated:	Thu Feb 10 04:59:33 2005 GMT
> Additional Information:	Received: [email]
> Currently active and flagged to be published in DNS
> This is going on for many days now, and the only workaround
> (or solution?) is to avoid SORBS until they fixed that problem
> for good.
> Does anyone know what's going on there?

A spammer is forging several of SORBS spamtrap e-mail
addresses on their outgoing spams.  The spams hit
which of course is bouncing them back to the sender, which
is in this case is the spamtrap e-mail addresses.  This
triggers the SORBS autolisting.

I don't know if the spammer knows that they have stumbled
over a SORBS spamtrap address or not.  They probably have
figured it out by now, though, and are now deliberatly 
attacking SORBS by repeatingly sending out spams with
the forged spamtrap address.

The goal of course is to do EXACTLY as you are advocating -
to get people to stop using SORBS.  If enough people do this then SORBS
becomes ineffective and we have just lost one more blacklist.

If your using sendmail, you should be able to workaround this by
putting the mailserver's IP address in your access.db
file, that should override the lockout check.  (assuming your
using sendmail to call SORBS)  If your using SORBS from
SpamAssassin, then you can whitelist the freebsd mailing list

If this is the case it will be very difficult for the SORBS
operators to figure out which ones of their honeypots have been
compromised, if the spammer knows what they are doing.

I personally don't use SORBS on my mailservers, but not because
I don't think they are a good blacklist.  I really don't know
enough about them to know if they are good or not.  However
I do run a script that examines the counts of mail blocked by
blacklist servers, and I periodically review them and prune
away the blacklist servers that appear to be ineffective.  I would
suggest that you do the same and use the results of this
to determine whether to continue using SORBS.


More information about the freebsd-questions mailing list