GFI/SORBS considered harmful

Act 1Act 2IntermezzoAct 3Act 4Act 5
Management Summary, Redistributable Documents and Links
A little over a year ago the SORBS blacklist was purchased by GFI Software. I had fairly high hopes that it would improve significantly, start behaving with some level of professionalism and competence and become a useful data source, in much the same way that the SpamCop blacklist turned into an accurate, professionally run source of data after they transitioned from being a volunteer run blacklist to a service of IronPort.
GFI’s statement a year ago was:

GFI is now actively developing plans for the future of SORBS, including SORBS 2.0 and methods to improve SORBS data and responsiveness.

They’ve had a year to do that, so how have they done? Yesterday, my good friend Delivery Kitty reminded me to take a look at GFI/SORBS. Today responsiveness. Tomorrow, data quality.
Responsiveness
I don’t send any email other than personal email myself, and I don’t represent large email senders in any professional capacity, so I don’t have much personal experience to go on (edit, well until I tried to use the GFI/SORBS website to research tomorrow’s post, anyway). So I did some informal polling, looking on twitter, and asking some friends in the industry.
The much-repeated story is that there’s been no real improvement in responsiveness – tickets are routinely ignored, or not responded to for months, and when they are responded to the responses are anything but helpful. Also, any mistake or problem tends to be blamed on “a DDoS”, even those issues that are obviously human error, poor database design or other systemic issues.
One senior sysadmin on GFI/SORBS’ handling of their recent batch of false positives:

There’s a huge screwup that has been visible in their public-facing production systems for 3 days, doing harm to their users’ mail flows.  The visible evidence says to me that someone at SORBS knows there’s a problem, and has known for at least a couple of days. And still, there has been no action to really repair the damage or even acknowledge it. SORBS is publishing lies in its zones, and while I can tolerate the occasional little “oops” that is handled swiftly and maturely, this is not such an incident.

Random tweet:

Finally got SORBS to delist my IP addresses…only took three months!!

Abuse specialist from a large mailing list operator:

Rather than operating on “Internet time,” SORBS seems to work on “Redneck time,” that is, they’ll get around to it when they get a round tuit.

Senior Security Engineer at a major regional US broadband provider:

SORBS uses bellicose, immature, and incompetent volunteers who are more interested in arguing the 1996 view that all spam is the senders fault regardless than in delisting ip addresses that were wrongly listed.

And a final quote that, I think, shows that frustration with SORBS responsiveness has gone from actual concern into black humor:

Imagine SORBS responses in Dalek voice:
DNS TTL not high enough!  Exterminate!
Didn’t fill out the form!  Exterminate!
Dynamic IP according to our records!  Exterminate!
We’re humble volunteers!  EXTERMINATE!!!!!!!!!

(Several of the people who gave me those quotes asked me explicitly not to mention them, or their employers, by name due to a history of harassment-by-false-blacklisting of people who speak publicly about GFI/SORBS practices. So I’ve tried to remove all the identifying information from all the quotes.)
Digging into the data quality issues takes a little longer, so that’s for tomorrow.

Related Posts

Content based filtering

A spam filter looks at many things when it’s deciding whether or not to deliver a message to the recipients inbox, usually divided into two broad categories – the behaviour of the sender and the content of the message.
When we talk about sender behaviour we’ll often dive headfirst into the technical details of how that’s monitored and tracked – history of mail from the same IP address, SPF records, good reverse DNS, send rates and ramping, polite SMTP level behaviour, DKIM and domain-based reputation and so on. If all of those are OK and the mail still doesn’t get delivered then you might throw up your hands, fall back on “it’s content-based filtering” and not leave it at that.
There’s just as much detail and scope for diagnosis in content-based filtering, though, it’s just a bit more complex, so some delivery folks tend to gloss over it. If you’re sending mail that people want to receive, you’re sure you’re sending the mail technically correctly and you have a decent reputation as a sender then it’s time to look at the content.
You want your mail to look just like wanted mail from reputable, competent senders and to look different to unwanted mail, viruses, phishing emails, botnet spoor and so on. And not just to mechanical spam filters – if a postmaster looks at your email, you want it to look clean, honest and competently put together to them too.
Some of the distinctive content differences between wanted and unwanted email are due to the content as written by the sender, some of them are due to senders of unwanted email trying to hide their identity or their content, but many of them are due to the different quality software used to send each sort of mail. Mail clients used by individuals, and content composition software used by high quality ESPs tends to be well written and complies with both the email and MIME RFCs, and the unwritten best common practices for email composition. The software used by spammers, botnets, viruses and low quality ESPs tends not to do so well.
Here’s a (partial) list of some of the things to consider:

Read More

It doesn't matter what you say

“What should we tell the ISP?” is a frequent question from my customers. The answer is pretty simple. It doesn’t usually matter what you tell the ISP. What matters are your actions.
If a sender is having delivery problems then the solution is not to call the ISP and talk to them about why the sender’s mail should not be delivered to the bulk folder. Instead, the solution is to evaluate the email and the address acquisition process and the list hygiene process. Identify where potential problems are and then resolve those problems.
Typically, the ISPs won’t need to be contacted. The changes to the email will register and delivery will improve. In some cases, particularly when there’s been some major mistake, contacting the ISP and explaining the mistake and what steps have been taken to stop the mistake from happening in the future may help resolve the issue faster. But if nothing has changed, then there’s no reason for the ISP to expect anything to change.
It doesn’t matter what you say. It matters what you do.

Read More

Getting removed from an ISP block

A question came up on a mailing list about how long it typically took to resolve a spam block at an ISP. I don’t think that question actually has a single answer, as each ISP has their own, special, process.
ISPA takes 5 minutes. You fill out a form, it runs through their automated system and you’re usually delisted.
ISPB asks a lot of questions in their form, so it takes about 15 minutes to collect all the data they want and 10 minutes to fill out their form. Then, using very, very short words you keep repeating what you need to the tier 1 person who initially responded. That person eventually figures out they can’t blow you off and throws your request to tier 2, who handles it immediately.
ISPC has a different, somewhat long form. Again, you spend time collecting all the data and then fill out the somewhat obscure form. You get a response, but it’s a boilerplate totally unrelated to the initial request, so you keep answering until you find a tier 1 rep who can read and do what you initially asked.
ISPD has a form that takes about 2 minutes to fill out. Unfortunately, it goes to an outsourced postmaster team in the Far East and response times are ranging from days to months right now.
ISPE has an email address and if you catch them on a good day, they’re very helpful. Sometimes there’s no response, though.
ISPF has a troubleshooting page and accept requests to fix things, but never respond in any visible manner.
ISPG they tells you to talk to Spamfiltering Company H.
Spamfiltering company H answers their email in a prompt and friendly manner. OK, sometimes the answers are just “wow, your client/customer/IP range is sending lots of spam,” but hey, it’s an answer.
Spamfiltering company I is a useless bag of protoplasm and don’t even answer the email address they give you on their webpages. In a fit of fairness, I have heard they will occasionally respond, but usually that response is to tell you to go pay some apparently unrelated company a bribe to get delisted.
Spamfiltering company J doesn’t have a lot of ways to contact them, but have a lot of folks that participate in various semi-public arenas so if you’re even slightly part of the community, you can email them and they’re very helpful.
Spamfiltering company K is totally useless, but will tell you to have recipients whitelist you.

Read More