GFI/SORBS – I'm blacklisted, now what?

Act 1Act 2IntermezzoAct 3Act 4Act 5
Management Summary, Redistributable Documents and Links
In the past week we’ve demonstrated that the SORBS reputation data is riddled with mistakes, poor practices, security holes and operational problems, and that the quality of the end result is really too poor to be useful.
What does this mean to you though? There are really two aspects: 1. what to do if you’re blacklisted or blocked by GFI or based on GFI/SORBS data and 2. how this information should affect your choice of spam filtering technology. We’ll be looking at the first point today, and the second tomorrow.

I’ve been blocked by SORBS! What should I do?

1. Don’t Panic

First, don’t panic. Just because you’re listed on SORBS it doesn’t mean it’s having much, if any, effect on your email. (When we last measured the impact of a SORBS listing, it was responsible for about 0.01% of mail rejected – not 0.01% of the mail sent, but of the mail that was rejected about 1 in 10,000 rejections appeared to be due to SORBS.)
Different people sending mail to different recipients will see different impact from any given blacklist. So you need to look at whether your mail is being rejected. If you’re not seeing problems with mail being rejected, the listing is not something you need to care about.
2. Check to see if you’re really listed
Next, see if you’re listed on the SORBS blacklist. Find the IP address of your outbound smarthost – perhaps it’s 10.11.12.13. Reverse the order of the numbers, and put “.dnsbl.sorbs.net” on the end to give something like “13.12.11.10.dnsbl.sorbs.net”. Open up a command prompt (on Windows do Start -> Run… and enter “command”) and use nslookup on that string:

C:Steve>nslookup 13.12.11.10.dnsbl.sorbs.net
Server: i
Address: 192.168.80.100
i can't find 13.12.11.10.dnsbl.sorbs.net: Non-existent domain

What you’re looking for is “Non-existent domain” or “NXDOMAIN”. If you see either of those, then you’re not listed on SORBS.
If, instead, you see “timed out” or “SERVFAIL” then SORBS is broken, and you can’t tell.
If you see something near the end starting with “127.0.0.” then you probably are listed on SORBS:

C:Steve>nslookup 13.12.11.10.dnsbl.sorbs.net
Server: i
Address: 192.168.80.100
Non-authoritative answer:
Name: 13.12.11.10.dnsbl.sorbs.net
Addresses: 127.0.0.10

You can tell which SORBS list you’re on using the table on this page. (If the SORBS website is down then the two interesting values are 127.0.0.10, which means you’re listed as a dynamically assigned address, and 127.0.0.6, which means you’re listed as a spammer).
3. See if there’s any more data on the website
Check the GFI/SORBS website to see if there’s any more information available: http://www.sorbs.net/lookup.shtml
4. Is the GFI/SORBS listing causing the blocking?
By now you know that you are having mail rejected, and you are listed on SORBS. Those two things may not be connected, though. Can you send mail to, for example, AOL, Yahoo and Gmail? None of those ISPs use SORBS, so if your mail is being rejected there, then you have some sort of problem that is not related to the SORBS listing, and need to look at that.
I’ll assume that it’s a false listing, but you should check the SORBS FAQ to see if it’s a legitimate listing.
5. Work with the ISPs that are rejecting email

This is not just a GFI problem. Many mail server admins use the SORBS Dynamic IP list in their list of RBLs, that are not GFI customers. How do we get mail server administrators to understand that SORBS is broken and to disable it?comment from yesterday

If you’re only being being blocked by a small number of recipients using SORBS then the best approach is to contact the administrators at those sites, explain that it’s a bogus listing, and ask them to whitelist your IP addresses. Maybe they’ll stop using SORBS altogether if they get too many of those requests. Sometimes, if the administrators are belligerent that you must be spammers because SORBS says so for example, there’s nothing you can do and you should just write those recipients off as incompetent to run email and not worry about it too much.
6. Work with GFI to get delisted
If you decide that the right thing to do is to get GFI/SORBS to remove the false listing then prepare yourself for a long slog. I’ve seen clearly false listings kept up for several years, and even simple delistings can take months to resolve.
The SORBS website encourages users to handle delisting requests via this link. As we’ve explained over the past few days, that’s not the best idea:

  • Using that link as recommended will compromise the security of your machine by loading an untrusted SSL certification authority
  • The approach SORBS use to handle inquiries is designed to punish those who ask questions about a false listing by extending the listing, not responding to queries and pushing a delisting request to the “back of the queue” any time a question is asked
  • The ticket queue software is designed by the same people who designed the rest of the SORBS infrastructure so isn’t going to be any more reliable
  • Some of the things that GFI employees running SORBS require to get delisted are painful and expensive to do, as well as being pointless – some of their DNS requirements in particular are the IT equivalent of dancing three times widdershins around a sacrificed goat
  • Even if you do manage to get a false listing removed, it’ll just be added again the next time the database is reloaded.
  • The staff handling that queue are not professional support staff, rather they are the same people who developed SORBS. Quite apart from the other problems you’re likely to have interacting with them, they’re the least likely people to be responsive to a problem caused by their own mistakes.
  • There’s no record of your request in any real ticketing system, so there’s no GFI management visibility into responsiveness metrics

DEAR GFI: There is no way you could find a more incompetent set of people to run a RBL, or anything for that matter, regardless of how hard you might try.Skyhawk

GFI do have professional support staff, though, and they should be able to help with problems with their reputation products, including the SORBS blacklist. They have local contact numbers and addresses for many countries across the world listed on their contact page.
At the time of writing their US contact information is:

Technical Support:phone +1 (919) 297-1350
Support Form
Customer Support:phone +1 (888) 243-4329
phone +1 (919) 379-3397
fax +1 (919) 379-3402
uscustomerservice@gfi.com
Public Relations:press@gfi.com

I’m told that the first tier GFI support folks would rather not deal with SORBS and will push callers to use the SORBS ticketing system instead, so you may need to be persistent or escalate requests.
Good luck!
More tomorrow.

Related Posts

GFI/SORBS considered harmful, part 2

Act 1Act 2IntermezzoAct 3Act 4Act 5
Management Summary, Redistributable Documents and Links
Yesterday I talked about GFI responsiveness to queries and delisting requests about SORBS listings. Today I’m going to look at data accuracy.
The two issues are tightly intertwined – a blacklist that isn’t responsive to reports of false positive listings will end up with a lot of stale or inaccurate data, and a blacklist that has many false positives will likely be overwhelmed with complaints and delisting requests, and won’t be able to respond to them – leading to a spiral of dissatisfaction and inaccurate data feeding off each other.

Read More

Getting removed from an ISP block

A question came up on a mailing list about how long it typically took to resolve a spam block at an ISP. I don’t think that question actually has a single answer, as each ISP has their own, special, process.
ISPA takes 5 minutes. You fill out a form, it runs through their automated system and you’re usually delisted.
ISPB asks a lot of questions in their form, so it takes about 15 minutes to collect all the data they want and 10 minutes to fill out their form. Then, using very, very short words you keep repeating what you need to the tier 1 person who initially responded. That person eventually figures out they can’t blow you off and throws your request to tier 2, who handles it immediately.
ISPC has a different, somewhat long form. Again, you spend time collecting all the data and then fill out the somewhat obscure form. You get a response, but it’s a boilerplate totally unrelated to the initial request, so you keep answering until you find a tier 1 rep who can read and do what you initially asked.
ISPD has a form that takes about 2 minutes to fill out. Unfortunately, it goes to an outsourced postmaster team in the Far East and response times are ranging from days to months right now.
ISPE has an email address and if you catch them on a good day, they’re very helpful. Sometimes there’s no response, though.
ISPF has a troubleshooting page and accept requests to fix things, but never respond in any visible manner.
ISPG they tells you to talk to Spamfiltering Company H.
Spamfiltering company H answers their email in a prompt and friendly manner. OK, sometimes the answers are just “wow, your client/customer/IP range is sending lots of spam,” but hey, it’s an answer.
Spamfiltering company I is a useless bag of protoplasm and don’t even answer the email address they give you on their webpages. In a fit of fairness, I have heard they will occasionally respond, but usually that response is to tell you to go pay some apparently unrelated company a bribe to get delisted.
Spamfiltering company J doesn’t have a lot of ways to contact them, but have a lot of folks that participate in various semi-public arenas so if you’re even slightly part of the community, you can email them and they’re very helpful.
Spamfiltering company K is totally useless, but will tell you to have recipients whitelist you.

Read More

We're gonna party like it's 1996!

Over on deliverability.com Dela Quist has a long blog post up talking about how changes to Hotmail and Gmail’s priority inbox are a class action suit waiting to happen.
All I can say is that it’s all been tried before. Cyberpromotions v. AOL started the ball rolling when they tried to use the First Amendment to force AOL to accept their unsolicited email. The courts said No.
Time goes on and things change. No one argues Sanford wasn’t spamming, he even admitted as much in his court documents. He was attempting to force AOL to accept his unsolicited commercial email for their users. Dela’s arguments center around solicited mail, though.
Do I really think that minor difference in terminology going to change things?
No.
First off “solicited” has a very squishy meaning when looking at any company, particularly large national brands. “We bought a list” and “This person made a purchase from us” are more common than any email marketer wants to admit to. Buying, selling and assuming permission are par for the course in the “legitimate” email marketing world. Just because the marketer tells me that I solicited their email does not actually mean I solicited their email.
Secondly, email marketers don’t get to dictate what recipients do and do not want. Do ISPs occasionally make boneheaded filtering decisions? I’d be a fool to say no. But more often than not when an ISP blocks your mail or filters it into the bulk folder they are doing it because the recipients don’t want that mail and don’t care that it’s in the bulk folder. Sorry, much of the incredibly important marketing mail isn’t actually that important to the recipient.
Dela mentions things like bank statements and bills. Does he really think that recipients are too stupid to add the from address to their address books? Or create specific filters so they can get the mail they want? People do this regularly and if they really want mail they have the tools, provided by the ISP, to make the mail they want get to where they want it.
Finally, there is this little law that protects ISPs. 47 USC 230 states:

Read More