Can someone from SORBS contact me offlist if they are on here…
My most recent allocation from ARIN turned out to be dirty IP’s, and I’m having trouble getting them removed following the steps on their website (no action on tickets opened).
Brian Boles
vegasnetman@gmail.com
We have the same problem. We are blacklisted and I filled out the webform. I
got an email regarding ticket number and account/password to track the
ticket. But it seems that nobody is working on it.
Best Stefan
If you are blacklisted due of SPAM, and this happens often when you are an
ISP, there is not automatic process.
Stefan
Sad state of affairs when looney people dictate which IPs are "good" and "bad".
-Michael
Brian Boles wrote:
Even worse if your ISP uses it and demands you ask the 'offender' to get 'themselves' removed.
Michael Nicks wroteth on 8/8/2006 7:27 AM:
I have recommended to every client in the past to drop any ISP that uses SORBS, but amazingly there are still plenty of clueless ISPs out there that use SORBS.
Hank Nussbacher
http://www.interall.co.il
Michael Nicks wrote:
Sad state of affairs when looney people dictate which IPs are "good" and "bad".
Sad state of affairs when ISPs are still taking money from spammers and providing transit to known criminal organisations.
/ Mat
Someone is providing you transit.. what gives? 
Matthew Sullivan wroteth on 8/8/2006 4:33 PM:
Brian Boles wrote:
Can someone from SORBS contact me offlist if they are on here....
My most recent allocation from ARIN turned out to be dirty IP's, and I'm having trouble getting them removed following the steps on their website (no action on tickets opened).
64.79.128.0/20 <http://64.79.128.0/20>
If course checking this we find that SORBS is not the only problem you have...
http://www.completewhois.com/hijacked/files/64.79.128.0.txt
Regards,
Mat
That was old user of that ip block. The block has been deleted
and ARIN now reassigned/reallocated it to somebody else.
The file you need to watch (which gets updated when ip block
previously hijacked is no longer an issue) is:
http://www.completewhois.com/hijacked/hijacked_flist.txt
(though a few more legacy blocks listed there got deleted
in last months, so it does need to be updated again)
william(at)elan.net wrote:
That was old user of that ip block. The block has been deleted
and ARIN now reassigned/reallocated it to somebody else.The file you need to watch (which gets updated when ip block
previously hijacked is no longer an issue) is:
http://www.completewhois.com/hijacked/hijacked_flist.txt(though a few more legacy blocks listed there got deleted
in last months, so it does need to be updated again)
Ta, missed that link previously.
Regards,
Mat
Hey Mat.
You aren't wrong, but that doesn't absolve you of the responsibility to
de-list in an efficient manner when you have made a mistake, or if the
listing is no longer accurate (i.e. if all the spammers have been kicked
off the netblock in question.)
$DAYJOB lists spam filtering amongst the services we offer to our
clients. I know we're using you to block IPs at the firewall, and we're
probably also doing so at the server level. I am going to talk to my boss
and co-workers about the impact of removing SORBS from our DNSBL list,
because your replies lately have been snarky and completely
unprofessional, including the reply quoted above. (Yes. It sucks that
spammers are still spamming. So what?)
I don't know what your problem is, but you're not making things any better
by refusing to fix listings that aren't incorrect or, in some cases, never
were.
Feh.
Listings that are NO LONGER CORRECT, or in some cases, never were.
Make sure brain is running before engaging fingers.
> I don't know what your problem is, but you're not making things any better
> by refusing to fix listings that aren't incorrect or, in some cases, never
> were.
IMHO, it's not about making things 'better' - we don't expect NANOG'ers
to be any more altruistic than other folk. It's about consumer
protection, as the anti-spammers always say; if $BLACKLIST does a good
job, we keep it. If it screws up too much, we go elsewhere. So Matt has
an incentive to be correct, I should think.
I fear we're veering off topic, but the problem with the "If $BLACKLIST
does a job, we'll keep using it" axiom is that it makes the assumption
that the majority of mail admins who use blacklists as part of their
antispam arsenal are keeping close tabs on the efficacy and accuracy of
the blacklists they use. Unfortunately I don't believe that is
generally the case. In my experience, most use blacklists as a "set and
forget" kind of weapon, and the only method they use to judge the
reliability of a list is how many spams it blocks, regardless of
accuracy. Too often you find admins that, when presented with an
example of a false-positive caused by an inaccurate blacklist, cop the,
"Don't talk to me, talk to the blacklist operators" attitude.
And it isn't entirely a lazy admin problem. There really seems to be no
*good* way to judge the relative accuracy of different blacklists. You
can read thier policies and procedures, but how do you know if they
actually follow them? Keeping an eye on mailing lists and newsgroups
can help some, but how do you separate the net.kooks complaining about a
valid listing from people with legitimate gripes? Especially when the
blacklist admins often come off as bigger net.kooks than their
detractors?
It winds up looking like a big catch-22 to me. Blacklist operators
essentially punt all responsibility for incorrectly blocked emails on
the mail admins, and the mail admins punt all responsibility for
incorrect listings back at the blacklist operators. And that leaves us
with *no one* taking responsibility, which makes me seriously question
the wisdom of using blacklists at all anymore.
Personally, I think completely automated systems with very short listing
times may be the way to go. It removes the human element from the
listing and delisting process in order to avoid the
personality-conflict/vendetta listings that seem to poison a number of
popular blacklists. In the long run, though, I think the spammers have
won the DNS blacklist war already and our time is better spent
developing better content filters to worry with the actual content of
the email than where it came from.
Andrew Cruse
Steve Sobol wrote:
Sad state of affairs when ISPs are still taking money from spammers and providing transit to known criminal organisations.
Hey Mat.You aren't wrong, but that doesn't absolve you of the responsibility to de-list in an efficient manner when you have made a mistake, or if the listing is no longer accurate (i.e. if all the spammers have been kicked off the netblock in question.)
If you checked with the original complainant you would find that both the zombie and DUHL listings are cleared. If you knew the ticket numbers and where they sit in the SORBS RT Support system you would know that there were multiple tickets logged the oldest now being 10 days, the most recent being 5 days - and under published policy the earliest was pushed into the more recent. You'll also note that the original complaint was about a single IP address as part of a /27 within a /19 listing.
$DAYJOB lists spam filtering amongst the services we offer to our clients. I know we're using you to block IPs at the firewall, and we're probably also doing so at the server level. I am going to talk to my boss and co-workers about the impact of removing SORBS from our DNSBL list, because your replies lately have been snarky and completely unprofessional, including the reply quoted above. (Yes. It sucks that spammers are still spamming. So what?)
The quoted text above is intended for a few that might still be on this list, non of which posted to this thread. The fact remains some ISPs provide transit to known criminal organisations for hijacked netblocks which are used for nothing but abuse (hosting trojans and viruses). Money talks.
I don't know what your problem is, but you're not making things any better by refusing to fix listings that aren't incorrect or, in some cases, never were.
Where do you get that from...? We fix incorrect listings as soon as notified and with no deliberate delay. If you are refering to listings like Dean Anderson's stolen netblock these are not delisted until such time as proof is obtained that our information is incorrect.
We have been informed that Dean picked up that portable /16 (and 2 other networks - one of which was a non-portable UUNET block) when he parted company with OSF in 1998. I have been contacted on a few occasions by Dean demanding delisting, each time I have asked for proof that he did not steal the netblock from the OSFs creditors (taking without permission even from a company folding is still stealing) - his response was a lot of bluster followed by the creation of the IADL.org site. A few people (including myself) have attempted to contact 'The Open Group' who are the new owners of the old OSF organisation. I am not aware of a reply that has been received from anyone other than Dean indicating that Dean is the legitimate owner of the said netblock. You will also note that at least one of the netblocks that Dean has indicated that he was a legitimate owner of have been taken back and are reallocated. To date no-one has backed Dean up in his assertion that he did not steal the netblock, all that we have seen is a short time after the listing suddenly Dean started providing services to 'opengroup.org' and cited that as proof he owns the block - considering the OpenGroup is in the UK now and are now unlikely to be able to prove to a court that they are the legitimate owners of the netblock I don't see that as reason to consider Dean the legitimate owner. A verifiable document from the OSF/OpenGroup indicating that Dean Anderson is the legitimate owner of their /16 and it was transfered to him with their knowledge and permission is all that is required for delisting... however it seems Dean cannot obtain that adding weight to the view that he did indeed steal the netblocks.
Something to consider before replying: is this on or off topic for NANOG? (personally I think part of this is on topic, other parts of the thread are definitely off topic)
Regards,
Mat
Matthew Sullivan wrote:
If you checked with the original complainant you would find that both
the zombie and DUHL listings are cleared. If you knew the ticket
numbers and where they sit in the SORBS RT Support system you would know
that there were multiple tickets logged the oldest now being 10 days,
the most recent being 5 days - and under published policy the earliest
was pushed into the more recent. You'll also note that the original
complaint was about a single IP address as part of a /27 within a /19
listing.
OK. I have no problem with that. I want you to understand that my observation
comes from seeing *many* people complain about a lack of response. If it was
just a couple, that'd be a horse of another color.
And frankly, it's not like you try to hide. You're a public figure here and
on several other discussion forums. So I don't think it's unreasonable to
assume that if people are having trouble reaching SORBS, it's not because the
contacts aren't published. In fact, I've seen a number of complaints that
people *have* contacted SORBS and have failed to get a response.
The quoted text above is intended for a few that might still be on this
list, non of which posted to this thread. The fact remains some ISPs
provide transit to known criminal organisations for hijacked netblocks
which are used for nothing but abuse (hosting trojans and viruses).
I'm not arguing that fact. Whether or not it was an appropriate response is
another matter.
I don't know what your problem is, but you're not making things any
better by refusing to fix listings that aren't incorrect or, in some
cases, never were.
Where do you get that from...? We fix incorrect listings as soon as
notified and with no deliberate delay. If you are refering to listings
like Dean Anderson's stolen netblock these are not delisted until such
time as proof is obtained that our information is incorrect.
Perhaps "refusal" is not the proper word, and I apologize for using it. It
does imply intent. "failure" may be a more accurate description.
permission even from a company folding is still stealing) - his response
was a lot of bluster followed by the creation of the IADL.org site.
Yup, I know. I'm there too. I am one of Dean's most vocal detractors.
Something to consider before replying: is this on or off topic for
NANOG? (personally I think part of this is on topic, other parts of the
thread are definitely off topic)
It has been agreed that spam is offtopic, although the issue of hijacked
netblocks certainly isn't. So I probably should have replied to you off-list
(apologies to everyone else for lowering the S:N ratio).
I don't know what the official word is on whether DNSBL operations in general
are on-topic for this list. I would appreciate if the people in charge of
deciding such things could tell me whether DNSBLs are on-topic or not...
Steve Sobol wrote:
Matthew Sullivan wrote:
<replied off list>
Something to consider before replying: is this on or off topic for
NANOG? (personally I think part of this is on topic, other parts of the
thread are definitely off topic)
It has been agreed that spam is offtopic, although the issue of hijacked
netblocks certainly isn't. So I probably should have replied to you off-list
(apologies to everyone else for lowering the S:N ratio).I don't know what the official word is on whether DNSBL operations in general
are on-topic for this list. I would appreciate if the people in charge of
deciding such things could tell me whether DNSBLs are on-topic or not...
List maintainers, would you please rule on whether:
1/ DNSbl operations are on or off topic.
2/ Hijacked netblocks are on/off topic (I suspect on topic, but would like to see an official word).
Regards,
Mat