BLOG

GFI/SORBS considered harmful

Act 1Act 2IntermezzoAct 3Act 4Act 5

Management Summary, Redistributable Documents and Links

A little over a year ago the SORBS blacklist was purchased by GFI Software. I had fairly high hopes that it would improve significantly, start behaving with some level of professionalism and competence and become a useful data source, in much the same way that the SpamCop blacklist turned into an accurate, professionally run source of data after they transitioned from being a volunteer run blacklist to a service of IronPort.

GFI’s statement a year ago was:

GFI is now actively developing plans for the future of SORBS, including SORBS 2.0 and methods to improve SORBS data and responsiveness.

They’ve had a year to do that, so how have they done? Yesterday, my good friend Delivery Kitty reminded me to take a look at GFI/SORBS. Today responsiveness. Tomorrow, data quality.

Responsiveness

I don’t send any email other than personal email myself, and I don’t represent large email senders in any professional capacity, so I don’t have much personal experience to go on (edit, well until I tried to use the GFI/SORBS website to research tomorrow’s post, anyway). So I did some informal polling, looking on twitter, and asking some friends in the industry.

The much-repeated story is that there’s been no real improvement in responsiveness – tickets are routinely ignored, or not responded to for months, and when they are responded to the responses are anything but helpful. Also, any mistake or problem tends to be blamed on “a DDoS”, even those issues that are obviously human error, poor database design or other systemic issues.

One senior sysadmin on GFI/SORBS’ handling of their recent batch of false positives:

There’s a huge screwup that has been visible in their public-facing production systems for 3 days, doing harm to their users’ mail flows.  The visible evidence says to me that someone at SORBS knows there’s a problem, and has known for at least a couple of days. And still, there has been no action to really repair the damage or even acknowledge it. SORBS is publishing lies in its zones, and while I can tolerate the occasional little “oops” that is handled swiftly and maturely, this is not such an incident.

Random tweet:

Finally got SORBS to delist my IP addresses…only took three months!!

Abuse specialist from a large mailing list operator:

Rather than operating on “Internet time,” SORBS seems to work on “Redneck time,” that is, they’ll get around to it when they get a round tuit.

Senior Security Engineer at a major regional US broadband provider:

SORBS uses bellicose, immature, and incompetent volunteers who are more interested in arguing the 1996 view that all spam is the senders fault regardless than in delisting ip addresses that were wrongly listed.

And a final quote that, I think, shows that frustration with SORBS responsiveness has gone from actual concern into black humor:

Imagine SORBS responses in Dalek voice:

DNS TTL not high enough!  Exterminate!
Didn’t fill out the form!  Exterminate!
Dynamic IP according to our records!  Exterminate!
We’re humble volunteers!  EXTERMINATE!!!!!!!!!

(Several of the people who gave me those quotes asked me explicitly not to mention them, or their employers, by name due to a history of harassment-by-false-blacklisting of people who speak publicly about GFI/SORBS practices. So I’ve tried to remove all the identifying information from all the quotes.)

Digging into the data quality issues takes a little longer, so that’s for tomorrow.

10 comments

  1. C says

    Dutch ISP XS4ALL recently put up this page that has a very similar title: SORBS considered harmful.

  2. GFI/SORBS considered harmful, part 2 – Word to the Wise says

    [...] I talked about GFI responsiveness to queries and delisting requests about SORBS listings. Today I’m going to look at data [...]

  3. GFI/SORBS – a DDoS Intermezzo – Word to the Wise says

    [...] Act 1 • Act 2 • Intermezzo [...]

  4. D.M. says

    we’ve used SORBS for years, but we’ve seen a 300% increase in the amount of sending IPs we’re finding on the SORBS blacklist in the last month. and a 1000% increase in the number of complaints we’re receiving because we’re rejecting legitimate mail from legitimate senders because they’ve gotten off SORBS.

  5. Gustavo says

    now they not working properly, has many problems

  6. The Received Blog says

    [...] the Word to the Wise blog, Steve Atkins has been publishing a series of articles describing — in impressive detail — everything he feels is wrong with the SORBS [...]

  7. George says

    I’ve used sorbs for years.

    Now mails are rejected from online service companies, domain registrars, etc. False rejects are extremely harmful.

    Sorbs is removed.

  8. Block Lists and the Death of a Thousand Cuts « The E-mail Skinny says

    [...] on production mail servers is deprecated. My colleague Steve Atkins at Word to the Wise provides an exhaustive review of the problems leading up to and exacerbating the failures, and summarizes them [...]

  9. SORBS Progress – Word to the Wise says

    [...] little bird tells me that GFI have resolved their primary blocking issue on SORBS problems. If all goes well I’d expect their infrastructure and policies to improve [...]

  10. Phil B says

    All depends on WHICH lists are used.

    The list dnsbl.sorbs.net almost guarantees that legit mails will be bounced (which many people have tried using and complained about). This list IMHO is a non starter….

    Far better to use spam.dnsbl.sorbs.net which isn’t as aggressive. Apart from the occasional false positive, this list has proven to be a good defense against spam in conjunction with other dnsBL providers.

Comment:

Your email address will not be published. Required fields are marked *

  • AOL compromise

    Lots of reports today of a security problem at AOL where accounts are sending spam, or are being spoofed in spam runs or something. Details are hazy, but there seems to be quite a bit of noise surrounding this incident. AOL hasn't provided any information as of yet as to what is going on.4 Comments


  • ReturnPath on DMARC+Yahoo

    Over at ReturnPath Christine has an excellent non-technical summary of the DMARC+Yahoo situation, along with some solid recommendations for what actions you might take to avoid the operational problems it can cause.No Comments


  • AOL problems

    Lots of people are reporting ongoing (RTR:GE) messages from AOL today.  This indicates the AOL mail servers are having problems and can't accept mail. This has nothing to do with spam, filtering or malicious email. This is simply their servers aren't functioning as well as they should be and so AOL can't accept all the mail thrown at them. These types of blocks resolve themselves. 1 Comment


Archives