Company type | Public |
---|---|
Founded | Queensland, Australia 2001 |
Founder | Michelle Sullivan |
Headquarters | Sunnyvale CA, United States of America |
Area served | Worldwide |
Key people | Michelle Sullivan |
Owner | Proofpoint, Inc. |
Website | www.sorbs.net |
Footnotes /references SORBS is owned by Proofpoint, Inc. |
SORBS ("Spam and Open Relay Blocking System") was a list of e-mail servers suspected of sending or relaying spam (a DNS Blackhole List). It had been augmented with complementary lists that include various other classes of hosts, allowing for customized email rejection by its users.
The SORBS DNSbl project was created in November 2001. It was maintained as a private list until 6 January 2002 when the DNSbl was officially launched to the public. The list consisted of 78,000 proxy relays and rapidly grew to over 3,000,000 alleged compromised spam relays. [1]
In November 2009 SORBS was acquired by GFI Software, to enhance their mail filtering solutions. [2]
In July 2011 SORBS was re-sold to Proofpoint, Inc. [3]
On June 5, 2024 SORBS was shut down and no longer available. [4]
SORBS adds IP ranges that belong to dialup modem pools, dynamically allocated wireless, and DSL connections as well as DHCP LAN ranges by using reverse DNS PTR records, WHOIS records, and sometimes by submission from the ISPs themselves. This is called the DUHL or Dynamic User and Host List. [5] SORBS does not automatically rescan DUHL listed hosts for updated rDNS so to remove an IP address from the DUHL the user or ISP has to request a delisting or rescan. If other blocks are scanned in the region of listings and the scan includes listed netspace, SORBS automatically removes the netspace marked as static.
Matthew Sullivan of SORBS proposed in an Internet Draft that generic reverse DNS addresses include purposing tokens such as static or dynamic, abbreviations thereof, and more. [6] That naming scheme would have allowed end users to classify IP addresses without the need to rely on third party lists, such as the SORBS DUHL. The Internet Draft has since expired. Generally it is considered more appropriate for ISPs to simply block outgoing traffic to port 25 if they wish to prevent users from sending email directly, rather than specifying it in the reverse DNS record for the IP. [7]
SORBS' dynamic IP list originally came from Dynablock but has been developed independently since Dynablock stopped updating in December 2003. [8]
IP addresses that send spam to SORBS spamtraps are added to their spam database automatically or manually. In order to prevent being blacklisted, major free email services such as Gmail, Yahoo, and Hotmail, as well as major ISPs now implement outgoing anti-spam countermeasures. Gmail, for example, continues to get listed and delisted [9] [10] because they refuse abuse reports. [11] However, smaller networks may still be unwittingly blocked. Because spammers use viruses, malware, and rootkits to force compromised computers to send spam, SORBS lists the IP addresses of servers that the infected system uses to send its spam. Because of this, larger ISPs and corporate networks have started blocking port 25 in order to prevent these compromised computers from being able to send email except through designated email servers. [12]
SORBS maintains a list of networks and addresses that it believes are assigned dynamically to end users/machines, it refers to this list as the DUHL (Dynamic User/Host List). [13] The list includes wide networks of computers sharing the same IP address using network address translation which are also affected (If one computer behind the NAT is allowed to send spam, the whole network will be blacklisted if the NAT IP is ever blacklisted.) This is a common method of pre-emptive blocking as most legitimate mail servers are hosted in data centers designed and provisioned for such services, the legitimate mail servers that are affected by such listings are most commonly home hobbyists running their own mail servers. The Spamhaus Policy Block List (PBL) is another such pre-emptive list which does not just list dynamic hosts, but also blocks hosts it believes [14] should not be sending email directly to third-party servers. SORBS also operate another list which is similar to the Spamhaus PBL called the NoServers list, which is wholly maintained by the network administrators of the respective networks and is therefore theoretically False Positive free.[ citation needed ]
SORBS has been accused of deliberately targeting innocent users through escalated listings. Its website describes the process as follows: "An escalated listing on the other hand is where a whole network of IP addresses is listed in SORBS and all hosts and IPs (whether assigned to a single customer or multiple) are listed and therefore blocked or result in spam folder issues. Why does SORBS create escalated listings? The simple answer is to stop spam. You ask, 'How does listing innocent IPs help stop spam?' Simple, some providers don’t care about spam." [15] There have been many heated discussions on this practice as often it would appear that email users who are caught in this trap have no recourse, because the listing applies to a block of IP addresses, and they are unable to release their own IP address.
Due to the automation of SORBS listings it is possible for the addresses of legitimate mail servers to be listed from time to time. Therefore, users of the SORBS Spam list in particular should consider carefully any such implications and may wish to use the service as part of a larger spam blocking system. The SORBS 'No Servers' list is reported to be wholly administered by the network administrators of the networks concerned therefore it should be false positive free.
SORBS produces and publishes daily statistics about its list to the otherwise defunct usenet newsgroup news.admin.net-abuse.bulletins (NANAB). As of 7 April 2021 statistics published show the following listing totals:
Unique IPs in Proxy entries: 613259 Unique IPs in Relay entries: 7824 Unique IPs in Spam entries: 48515896 Unique IPs in Hacked entries: 7337019 Unique IPs in DUHL entries: 381194921 Unique IPs in exDUHL entries: 1072776 Unique IPs in Cable entries: 3877257 Unique IPs in Zombie entries: 1772805 Unique IPs in AdminRequested entries: 1 Unique IPs in UnAllocated entries: 139101 Unique IPs in CoLo entries: 136259 Unique IPs in MailServer entries: 31 Unique IPs in Spammer entries: 1 Unique IPs in Escalated entries: 2305 Unique IPs in Phishing entries: 110995 Unique IPs in Virus entries: 5630114 Unique IPs in BackScatter entries: 36 Unique IPs in Business entries: 5693190 Unique IPs in Static entries: 8906441 Unique IPs in WhiteHat entries: 1 Unique IPs in NoServers entries: 46844194 Unique IPs in CoreNetwork entries: 42588 Unique IPs in InstantReport entries: 31 Unique IPs in EmailReport entries: 1 Unique IPs in Permission entries: 81 Unique IPs in Botnet entries: 379527 Total IPs listed in the database 512276654
An open mail relay is a Simple Mail Transfer Protocol (SMTP) server configured in such a way that it allows anyone on the Internet to send e-mail through it, not just mail destined to or originating from known users. This used to be the default configuration in many mail servers; indeed, it was the way the Internet was initially set up, but open mail relays have become unpopular because of their exploitation by spammers and worms. Many relays were closed, or were placed on blacklists by other servers.
A Domain Name System blocklist, Domain Name System-based blackhole list, Domain Name System blacklist (DNSBL) or real-time blackhole list (RBL) is a service for operation of mail servers to perform a check via a Domain Name System (DNS) query whether a sending host's IP address is blacklisted for email spam. Most mail server software can be configured to check such lists, typically rejecting or flagging messages from such sites.
A whitelist is a list or register of entities that are being provided a particular privilege, service, mobility, access or recognition. Entities on the list will be accepted, approved and/or recognized. Whitelisting is the reverse of blacklisting, the practice of identifying entities that are denied, unrecognised, or ostracised.
Various anti-spam techniques are used to prevent email spam.
Email spam, also referred to as junk email, spam mail, or simply spam, is unsolicited messages sent in bulk by email (spamming). The name comes from a Monty Python sketch in which the name of the canned pork product Spam is ubiquitous, unavoidable, and repetitive. Email spam has steadily grown since the early 1990s, and by 2014 was estimated to account for around 90% of total email traffic.
The Distributed Sender Blackhole List was a Domain Name System-based Blackhole List that listed IP addresses of insecure e-mail hosts. DSBL could be used by server administrators to tag or block e-mail messages that came from insecure servers, which is often spam.
The Spamhaus Project is an international organisation based in the Principality of Andorra, founded in 1998 by Steve Linford to take action against what they allege to be spammers. The correctness of this assessment by Spamhaus is regularly disputed. If the assessment is based on objective characteristics or on standards set by Spamhaus itself is disputed. The name spamhaus, a pseudo-German expression, was coined by Linford to refer to an internet service provider, or other firm, which spams or knowingly provides service to spammers. Spamhaus has been criticized to purposely hide all direct methods of contact from its webpages to avoid transparency, while asking transparency from others
In computer networks, a reverse DNS lookup or reverse DNS resolution (rDNS) is the querying technique of the Domain Name System (DNS) to determine the domain name associated with an IP address – the reverse of the usual "forward" DNS lookup of an IP address from a domain name. The process of reverse resolving of an IP address uses PTR records. rDNS involves searching domain name registry and registrar tables. The reverse DNS database of the Internet is rooted in the .arpa top-level domain.
Email authentication, or validation, is a collection of techniques aimed at providing verifiable information about the origin of email messages by validating the domain ownership of any message transfer agents (MTA) who participated in transferring and possibly modifying a message.
Forward-confirmed reverse DNS (FCrDNS), also known as full-circle reverse DNS, double-reverse DNS, or iprev, is a networking parameter configuration in which a given IP address has both forward (name-to-address) and reverse (address-to-name) Domain Name System (DNS) entries that match each other. This is the standard configuration expected by the Internet standards supporting many DNS-reliant protocols. David Barr published an opinion in RFC 1912 (Informational) recommending it as best practice for DNS administrators, but there are no formal requirements for it codified within the DNS standard itself.
The Abusive Hosts Blocking List (AHBL) was an internet abuse tracking and filtering system developed by The Summit Open Source Development Group, and based on the original Summit Blocking List (2000–2002). Its DNSBLs were shut down on Jan 1, 2015 and now appear to be blacklisting the entire Internet.
A smart host or smarthost is an email server via which third parties can send emails and have them forwarded on to the email recipients' email servers.
In networking, a black hole refers to a place in the network where incoming or outgoing traffic is silently discarded, without informing the source that the data did not reach its intended recipient.
SURBL is a collection of URI DNSBL lists of Uniform Resource Identifier (URI) hosts, typically web site domains, that appear in unsolicited messages. SURBL can be used to search incoming e-mail message bodies for spam payload links to help evaluate whether the messages are unsolicited. For example, if http://www.example.com is listed, then e-mail messages with a message body containing this URI may be classified as unsolicited. URI DNSBLs differ from prior DNSBLs, which commonly list mail sending IP addresses. SURBL is a specific instance of the general URI DNSBL list type.
Not Just Another Bogus List (NJABL) was a DNS blacklist.
The Mail Abuse Prevention System (MAPS) is an organization that provides anti-spam support by maintaining a DNSBL. They provide five black lists, categorising why an address or an IP block is listed:
A Dial-up/Dynamic User List (DUL) is a type of DNSBL which contains the IP addresses an ISP assigns to its customer on a temporary basis, often using DHCP or similar protocols. Dynamically assigned IP addresses are contrasted with static IP addresses which do not change once they have been allocated by the service provider.
hMailServer was a free email server for Windows created by Martin Knafve. It ran as a Windows service and includes administration tools for management and backup. It had support for IMAP, POP3, and SMTP email protocols. It could use external database engines such as MySQL, MS SQL or PostgreSQL, or an internal MS SQL Compact Edition engine to store configuration and index data. The actual email messages were stored on disk in a raw MIME format. As of January 15th, 2022, active support and development were officially halted, although version 5.6 will continue to receive updates for critical bugs.
In computing, a blacklist, disallowlist, blocklist, or denylist is a basic access control mechanism that allows through all elements, except those explicitly mentioned. Those items on the list are denied access. The opposite is a whitelist, allowlist, or passlist, in which only items on the list are let through whatever gate is being used. A greylist contains items that are temporarily blocked until an additional step is performed.
Email spammers have developed a variety of ways to deliver email spam throughout the years, such as mass-creating accounts on services such as Hotmail or using another person's network to send email spam. Many techniques to block, filter, or otherwise remove email spam from inboxes have been developed by internet users, system administrators and internet service providers. Due to this, email spammers have developed their own techniques to send email spam, which are listed below.