GFI/SORBS – I'm blacklisted, now what?

Act 1Act 2IntermezzoAct 3Act 4Act 5
Management Summary, Redistributable Documents and Links
In the past week we’ve demonstrated that the SORBS reputation data is riddled with mistakes, poor practices, security holes and operational problems, and that the quality of the end result is really too poor to be useful.
What does this mean to you though? There are really two aspects: 1. what to do if you’re blacklisted or blocked by GFI or based on GFI/SORBS data and 2. how this information should affect your choice of spam filtering technology. We’ll be looking at the first point today, and the second tomorrow.

I’ve been blocked by SORBS! What should I do?

1. Don’t Panic

First, don’t panic. Just because you’re listed on SORBS it doesn’t mean it’s having much, if any, effect on your email. (When we last measured the impact of a SORBS listing, it was responsible for about 0.01% of mail rejected – not 0.01% of the mail sent, but of the mail that was rejected about 1 in 10,000 rejections appeared to be due to SORBS.)
Different people sending mail to different recipients will see different impact from any given blacklist. So you need to look at whether your mail is being rejected. If you’re not seeing problems with mail being rejected, the listing is not something you need to care about.
2. Check to see if you’re really listed
Next, see if you’re listed on the SORBS blacklist. Find the IP address of your outbound smarthost – perhaps it’s 10.11.12.13. Reverse the order of the numbers, and put “.dnsbl.sorbs.net” on the end to give something like “13.12.11.10.dnsbl.sorbs.net”. Open up a command prompt (on Windows do Start -> Run… and enter “command”) and use nslookup on that string:

C:Steve>nslookup 13.12.11.10.dnsbl.sorbs.net
Server: i
Address: 192.168.80.100
i can't find 13.12.11.10.dnsbl.sorbs.net: Non-existent domain

What you’re looking for is “Non-existent domain” or “NXDOMAIN”. If you see either of those, then you’re not listed on SORBS.
If, instead, you see “timed out” or “SERVFAIL” then SORBS is broken, and you can’t tell.
If you see something near the end starting with “127.0.0.” then you probably are listed on SORBS:

C:Steve>nslookup 13.12.11.10.dnsbl.sorbs.net
Server: i
Address: 192.168.80.100
Non-authoritative answer:
Name: 13.12.11.10.dnsbl.sorbs.net
Addresses: 127.0.0.10

You can tell which SORBS list you’re on using the table on this page. (If the SORBS website is down then the two interesting values are 127.0.0.10, which means you’re listed as a dynamically assigned address, and 127.0.0.6, which means you’re listed as a spammer).
3. See if there’s any more data on the website
Check the GFI/SORBS website to see if there’s any more information available: http://www.sorbs.net/lookup.shtml
4. Is the GFI/SORBS listing causing the blocking?
By now you know that you are having mail rejected, and you are listed on SORBS. Those two things may not be connected, though. Can you send mail to, for example, AOL, Yahoo and Gmail? None of those ISPs use SORBS, so if your mail is being rejected there, then you have some sort of problem that is not related to the SORBS listing, and need to look at that.
I’ll assume that it’s a false listing, but you should check the SORBS FAQ to see if it’s a legitimate listing.
5. Work with the ISPs that are rejecting email

This is not just a GFI problem. Many mail server admins use the SORBS Dynamic IP list in their list of RBLs, that are not GFI customers. How do we get mail server administrators to understand that SORBS is broken and to disable it?comment from yesterday

If you’re only being being blocked by a small number of recipients using SORBS then the best approach is to contact the administrators at those sites, explain that it’s a bogus listing, and ask them to whitelist your IP addresses. Maybe they’ll stop using SORBS altogether if they get too many of those requests. Sometimes, if the administrators are belligerent that you must be spammers because SORBS says so for example, there’s nothing you can do and you should just write those recipients off as incompetent to run email and not worry about it too much.
6. Work with GFI to get delisted
If you decide that the right thing to do is to get GFI/SORBS to remove the false listing then prepare yourself for a long slog. I’ve seen clearly false listings kept up for several years, and even simple delistings can take months to resolve.
The SORBS website encourages users to handle delisting requests via this link. As we’ve explained over the past few days, that’s not the best idea:

  • Using that link as recommended will compromise the security of your machine by loading an untrusted SSL certification authority
  • The approach SORBS use to handle inquiries is designed to punish those who ask questions about a false listing by extending the listing, not responding to queries and pushing a delisting request to the “back of the queue” any time a question is asked
  • The ticket queue software is designed by the same people who designed the rest of the SORBS infrastructure so isn’t going to be any more reliable
  • Some of the things that GFI employees running SORBS require to get delisted are painful and expensive to do, as well as being pointless – some of their DNS requirements in particular are the IT equivalent of dancing three times widdershins around a sacrificed goat
  • Even if you do manage to get a false listing removed, it’ll just be added again the next time the database is reloaded.
  • The staff handling that queue are not professional support staff, rather they are the same people who developed SORBS. Quite apart from the other problems you’re likely to have interacting with them, they’re the least likely people to be responsive to a problem caused by their own mistakes.
  • There’s no record of your request in any real ticketing system, so there’s no GFI management visibility into responsiveness metrics

DEAR GFI: There is no way you could find a more incompetent set of people to run a RBL, or anything for that matter, regardless of how hard you might try.Skyhawk

GFI do have professional support staff, though, and they should be able to help with problems with their reputation products, including the SORBS blacklist. They have local contact numbers and addresses for many countries across the world listed on their contact page.
At the time of writing their US contact information is:

Technical Support:phone +1 (919) 297-1350
Support Form
Customer Support:phone +1 (888) 243-4329
phone +1 (919) 379-3397
fax +1 (919) 379-3402
uscustomerservice@gfi.com
Public Relations:press@gfi.com

I’m told that the first tier GFI support folks would rather not deal with SORBS and will push callers to use the SORBS ticketing system instead, so you may need to be persistent or escalate requests.
Good luck!
More tomorrow.

Related Posts

GFI/SORBS – a DDoS Intermezzo

Act 1Act 2IntermezzoAct 3Act 4Act 5
Management Summary, Redistributable Documents and Links
I’ve been stage-managing for a production of The Nutcracker this week, so musical terminology is on my mind. In opera, the intermezzo is a comedic interlude between acts of an opera series.
This comedic interlude is about the “DDoS” – a distributed denial of service attack. What is a denial of service attack?

Read More

We're gonna party like it's 1996!

Over on deliverability.com Dela Quist has a long blog post up talking about how changes to Hotmail and Gmail’s priority inbox are a class action suit waiting to happen.
All I can say is that it’s all been tried before. Cyberpromotions v. AOL started the ball rolling when they tried to use the First Amendment to force AOL to accept their unsolicited email. The courts said No.
Time goes on and things change. No one argues Sanford wasn’t spamming, he even admitted as much in his court documents. He was attempting to force AOL to accept his unsolicited commercial email for their users. Dela’s arguments center around solicited mail, though.
Do I really think that minor difference in terminology going to change things?
No.
First off “solicited” has a very squishy meaning when looking at any company, particularly large national brands. “We bought a list” and “This person made a purchase from us” are more common than any email marketer wants to admit to. Buying, selling and assuming permission are par for the course in the “legitimate” email marketing world. Just because the marketer tells me that I solicited their email does not actually mean I solicited their email.
Secondly, email marketers don’t get to dictate what recipients do and do not want. Do ISPs occasionally make boneheaded filtering decisions? I’d be a fool to say no. But more often than not when an ISP blocks your mail or filters it into the bulk folder they are doing it because the recipients don’t want that mail and don’t care that it’s in the bulk folder. Sorry, much of the incredibly important marketing mail isn’t actually that important to the recipient.
Dela mentions things like bank statements and bills. Does he really think that recipients are too stupid to add the from address to their address books? Or create specific filters so they can get the mail they want? People do this regularly and if they really want mail they have the tools, provided by the ISP, to make the mail they want get to where they want it.
Finally, there is this little law that protects ISPs. 47 USC 230 states:

Read More

GFI/SORBS considered harmful

Act 1Act 2IntermezzoAct 3Act 4Act 5
Management Summary, Redistributable Documents and Links
A little over a year ago the SORBS blacklist was purchased by GFI Software. I had fairly high hopes that it would improve significantly, start behaving with some level of professionalism and competence and become a useful data source, in much the same way that the SpamCop blacklist turned into an accurate, professionally run source of data after they transitioned from being a volunteer run blacklist to a service of IronPort.
GFI’s statement a year ago was:

Read More