BLOG

GFI/SORBS – I'm blacklisted, now what?

Act 1Act 2IntermezzoAct 3Act 4Act 5
Management Summary, Redistributable Documents and Links
In the past week we’ve demonstrated that the SORBS reputation data is riddled with mistakes, poor practices, security holes and operational problems, and that the quality of the end result is really too poor to be useful.
What does this mean to you though? There are really two aspects: 1. what to do if you’re blacklisted or blocked by GFI or based on GFI/SORBS data and 2. how this information should affect your choice of spam filtering technology. We’ll be looking at the first point today, and the second tomorrow.

I’ve been blocked by SORBS! What should I do?

1. Don’t Panic

First, don’t panic. Just because you’re listed on SORBS it doesn’t mean it’s having much, if any, effect on your email. (When we last measured the impact of a SORBS listing, it was responsible for about 0.01% of mail rejected – not 0.01% of the mail sent, but of the mail that was rejected about 1 in 10,000 rejections appeared to be due to SORBS.)
Different people sending mail to different recipients will see different impact from any given blacklist. So you need to look at whether your mail is being rejected. If you’re not seeing problems with mail being rejected, the listing is not something you need to care about.
2. Check to see if you’re really listed
Next, see if you’re listed on the SORBS blacklist. Find the IP address of your outbound smarthost – perhaps it’s 10.11.12.13. Reverse the order of the numbers, and put “.dnsbl.sorbs.net” on the end to give something like “13.12.11.10.dnsbl.sorbs.net”. Open up a command prompt (on Windows do Start -> Run… and enter “command”) and use nslookup on that string:

What you’re looking for is “Non-existent domain” or “NXDOMAIN”. If you see either of those, then you’re not listed on SORBS.
If, instead, you see “timed out” or “SERVFAIL” then SORBS is broken, and you can’t tell.
If you see something near the end starting with “127.0.0.” then you probably are listed on SORBS:

You can tell which SORBS list you’re on using the table on this page. (If the SORBS website is down then the two interesting values are 127.0.0.10, which means you’re listed as a dynamically assigned address, and 127.0.0.6, which means you’re listed as a spammer).
3. See if there’s any more data on the website
Check the GFI/SORBS website to see if there’s any more information available: http://www.sorbs.net/lookup.shtml
4. Is the GFI/SORBS listing causing the blocking?
By now you know that you are having mail rejected, and you are listed on SORBS. Those two things may not be connected, though. Can you send mail to, for example, AOL, Yahoo and Gmail? None of those ISPs use SORBS, so if your mail is being rejected there, then you have some sort of problem that is not related to the SORBS listing, and need to look at that.
I’ll assume that it’s a false listing, but you should check the SORBS FAQ to see if it’s a legitimate listing.
5. Work with the ISPs that are rejecting email

This is not just a GFI problem. Many mail server admins use the SORBS Dynamic IP list in their list of RBLs, that are not GFI customers. How do we get mail server administrators to understand that SORBS is broken and to disable it?comment from yesterday

If you’re only being being blocked by a small number of recipients using SORBS then the best approach is to contact the administrators at those sites, explain that it’s a bogus listing, and ask them to whitelist your IP addresses. Maybe they’ll stop using SORBS altogether if they get too many of those requests. Sometimes, if the administrators are belligerent that you must be spammers because SORBS says so for example, there’s nothing you can do and you should just write those recipients off as incompetent to run email and not worry about it too much.
6. Work with GFI to get delisted
If you decide that the right thing to do is to get GFI/SORBS to remove the false listing then prepare yourself for a long slog. I’ve seen clearly false listings kept up for several years, and even simple delistings can take months to resolve.
The SORBS website encourages users to handle delisting requests via this link. As we’ve explained over the past few days, that’s not the best idea:

  • Using that link as recommended will compromise the security of your machine by loading an untrusted SSL certification authority
  • The approach SORBS use to handle inquiries is designed to punish those who ask questions about a false listing by extending the listing, not responding to queries and pushing a delisting request to the “back of the queue” any time a question is asked
  • The ticket queue software is designed by the same people who designed the rest of the SORBS infrastructure so isn’t going to be any more reliable
  • Some of the things that GFI employees running SORBS require to get delisted are painful and expensive to do, as well as being pointless – some of their DNS requirements in particular are the IT equivalent of dancing three times widdershins around a sacrificed goat
  • Even if you do manage to get a false listing removed, it’ll just be added again the next time the database is reloaded.
  • The staff handling that queue are not professional support staff, rather they are the same people who developed SORBS. Quite apart from the other problems you’re likely to have interacting with them, they’re the least likely people to be responsive to a problem caused by their own mistakes.
  • There’s no record of your request in any real ticketing system, so there’s no GFI management visibility into responsiveness metrics

DEAR GFI: There is no way you could find a more incompetent set of people to run a RBL, or anything for that matter, regardless of how hard you might try.Skyhawk

GFI do have professional support staff, though, and they should be able to help with problems with their reputation products, including the SORBS blacklist. They have local contact numbers and addresses for many countries across the world listed on their contact page.
At the time of writing their US contact information is:

Technical Support: phone +1 (919) 297-1350
Support Form
Customer Support: phone +1 (888) 243-4329
phone +1 (919) 379-3397
fax +1 (919) 379-3402
uscustomerservice@gfi.com
Public Relations: press@gfi.com

I’m told that the first tier GFI support folks would rather not deal with SORBS and will push callers to use the SORBS ticketing system instead, so you may need to be persistent or escalate requests.
Good luck!
More tomorrow.

8 comments

  1. pgl says

    FWIW, I would say the rejection %age is slightly higher than 0.01%, but still lower than 1% – ie, nothing to worry about at all.

  2. RichH says

    pgl — have you considered your 1% from the perspective of someone with an incorrectly blacklisted IP block? I have a mail server so listed. It is not fun having hundreds of people not be able to email different companies and do business. As of this writing, the SORBS delisting system is still down, and has been for several days. GFI is obviously not trying very hard to fix it either. And good luck contacting mail admins at hundreds of companies using zombie spam control lists with appliances like Barracuda, etc. that are preconfigured and many wouldn’t have a clue how to change. This just sucks bigtime.

  3. pgl says

    @RichH yes, I have – I’ve been in your situation before, and it sucks. But, compared to other blacklists, SORBS has — at least in my experience — a lot less impact.

  4. AbuseGuy says

    So I tried called GFI today. GOT NOWHERE! This is becoming a huge headache. Thanks for all of these great posts.
    You should share Michelle S. email from her earlier reply. Maybe she/he can help us escalate our issues.

    1. laura says

      While I do sympathize, we don’t release email addresses. However, there is an email address associated with the SORBS IP space: http://wq.apnic.net/apnic-bin/whois.pl?searchtext=111.125.160.128 . I have seen mail from that address discussing SORBS policy and signed by Michelle on various mailing lists from spam-l to NANOG.

  5. steve says

    Also, if you’re calling GFI anyway, and need an escalation point for problems caused by their broken IT infrastructure, http://www.linkedin.com/in/sergiogalindo might be of interest.

  6. Frustrated internet user says

    SORBS should just give it up and pack it in. Their approach and techniques are antiquated and just don’t work in the modern email world – they cause more harm than good, constantly listing innocent IPs, and any serious spammers can work around their “protections” with ease.
    SORBs have started listing the IPs of mailservers sending mail containing sharing button links now. Can I speak to a human to tell them about this obvious f*ckup? No. Too busy dealing with the normal deluge of complaints and support tickets I imagine. Not to mention that any automated replies you do get come from “payments@support.sorbs.net” – really says a lot about their business model.

  7. Guter Mann says

    SORBS makes it impossible for the average internet user to defend himself against being blacklisted, with all its business and privately damaging consequences. My ip seems to be blacklisted, as I have two email-accounts blocked by sorbs, from which I am sending emails to my WIFE, who has the SAME ip adress even! And – for the jokers amongst you – I am not spamming her. SORBS is big brother at its finest. No possibility to get help from “the castle” in the US. Greetings from Europe, where we always seem to have to fight for the internet users rights against companies like Sorbs, you…

Comment:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.