GFI/SORBS – I'm blacklisted, now what?

Act 1Act 2IntermezzoAct 3Act 4Act 5
Management Summary, Redistributable Documents and Links
In the past week we’ve demonstrated that the SORBS reputation data is riddled with mistakes, poor practices, security holes and operational problems, and that the quality of the end result is really too poor to be useful.
What does this mean to you though? There are really two aspects: 1. what to do if you’re blacklisted or blocked by GFI or based on GFI/SORBS data and 2. how this information should affect your choice of spam filtering technology. We’ll be looking at the first point today, and the second tomorrow.

I’ve been blocked by SORBS! What should I do?

1. Don’t Panic

First, don’t panic. Just because you’re listed on SORBS it doesn’t mean it’s having much, if any, effect on your email. (When we last measured the impact of a SORBS listing, it was responsible for about 0.01% of mail rejected – not 0.01% of the mail sent, but of the mail that was rejected about 1 in 10,000 rejections appeared to be due to SORBS.)
Different people sending mail to different recipients will see different impact from any given blacklist. So you need to look at whether your mail is being rejected. If you’re not seeing problems with mail being rejected, the listing is not something you need to care about.
2. Check to see if you’re really listed
Next, see if you’re listed on the SORBS blacklist. Find the IP address of your outbound smarthost – perhaps it’s 10.11.12.13. Reverse the order of the numbers, and put “.dnsbl.sorbs.net” on the end to give something like “13.12.11.10.dnsbl.sorbs.net”. Open up a command prompt (on Windows do Start -> Run… and enter “command”) and use nslookup on that string:

C:Steve>nslookup 13.12.11.10.dnsbl.sorbs.net
Server: i
Address: 192.168.80.100
i can't find 13.12.11.10.dnsbl.sorbs.net: Non-existent domain

What you’re looking for is “Non-existent domain” or “NXDOMAIN”. If you see either of those, then you’re not listed on SORBS.
If, instead, you see “timed out” or “SERVFAIL” then SORBS is broken, and you can’t tell.
If you see something near the end starting with “127.0.0.” then you probably are listed on SORBS:

C:Steve>nslookup 13.12.11.10.dnsbl.sorbs.net
Server: i
Address: 192.168.80.100
Non-authoritative answer:
Name: 13.12.11.10.dnsbl.sorbs.net
Addresses: 127.0.0.10

You can tell which SORBS list you’re on using the table on this page. (If the SORBS website is down then the two interesting values are 127.0.0.10, which means you’re listed as a dynamically assigned address, and 127.0.0.6, which means you’re listed as a spammer).
3. See if there’s any more data on the website
Check the GFI/SORBS website to see if there’s any more information available: http://www.sorbs.net/lookup.shtml
4. Is the GFI/SORBS listing causing the blocking?
By now you know that you are having mail rejected, and you are listed on SORBS. Those two things may not be connected, though. Can you send mail to, for example, AOL, Yahoo and Gmail? None of those ISPs use SORBS, so if your mail is being rejected there, then you have some sort of problem that is not related to the SORBS listing, and need to look at that.
I’ll assume that it’s a false listing, but you should check the SORBS FAQ to see if it’s a legitimate listing.
5. Work with the ISPs that are rejecting email

This is not just a GFI problem. Many mail server admins use the SORBS Dynamic IP list in their list of RBLs, that are not GFI customers. How do we get mail server administrators to understand that SORBS is broken and to disable it?comment from yesterday

If you’re only being being blocked by a small number of recipients using SORBS then the best approach is to contact the administrators at those sites, explain that it’s a bogus listing, and ask them to whitelist your IP addresses. Maybe they’ll stop using SORBS altogether if they get too many of those requests. Sometimes, if the administrators are belligerent that you must be spammers because SORBS says so for example, there’s nothing you can do and you should just write those recipients off as incompetent to run email and not worry about it too much.
6. Work with GFI to get delisted
If you decide that the right thing to do is to get GFI/SORBS to remove the false listing then prepare yourself for a long slog. I’ve seen clearly false listings kept up for several years, and even simple delistings can take months to resolve.
The SORBS website encourages users to handle delisting requests via this link. As we’ve explained over the past few days, that’s not the best idea:

  • Using that link as recommended will compromise the security of your machine by loading an untrusted SSL certification authority
  • The approach SORBS use to handle inquiries is designed to punish those who ask questions about a false listing by extending the listing, not responding to queries and pushing a delisting request to the “back of the queue” any time a question is asked
  • The ticket queue software is designed by the same people who designed the rest of the SORBS infrastructure so isn’t going to be any more reliable
  • Some of the things that GFI employees running SORBS require to get delisted are painful and expensive to do, as well as being pointless – some of their DNS requirements in particular are the IT equivalent of dancing three times widdershins around a sacrificed goat
  • Even if you do manage to get a false listing removed, it’ll just be added again the next time the database is reloaded.
  • The staff handling that queue are not professional support staff, rather they are the same people who developed SORBS. Quite apart from the other problems you’re likely to have interacting with them, they’re the least likely people to be responsive to a problem caused by their own mistakes.
  • There’s no record of your request in any real ticketing system, so there’s no GFI management visibility into responsiveness metrics

DEAR GFI: There is no way you could find a more incompetent set of people to run a RBL, or anything for that matter, regardless of how hard you might try.Skyhawk

GFI do have professional support staff, though, and they should be able to help with problems with their reputation products, including the SORBS blacklist. They have local contact numbers and addresses for many countries across the world listed on their contact page.
At the time of writing their US contact information is:

Technical Support:phone +1 (919) 297-1350
Support Form
Customer Support:phone +1 (888) 243-4329
phone +1 (919) 379-3397
fax +1 (919) 379-3402
uscustomerservice@gfi.com
Public Relations:press@gfi.com

I’m told that the first tier GFI support folks would rather not deal with SORBS and will push callers to use the SORBS ticketing system instead, so you may need to be persistent or escalate requests.
Good luck!
More tomorrow.

Related Posts

Getting removed from an ISP block

A question came up on a mailing list about how long it typically took to resolve a spam block at an ISP. I don’t think that question actually has a single answer, as each ISP has their own, special, process.
ISPA takes 5 minutes. You fill out a form, it runs through their automated system and you’re usually delisted.
ISPB asks a lot of questions in their form, so it takes about 15 minutes to collect all the data they want and 10 minutes to fill out their form. Then, using very, very short words you keep repeating what you need to the tier 1 person who initially responded. That person eventually figures out they can’t blow you off and throws your request to tier 2, who handles it immediately.
ISPC has a different, somewhat long form. Again, you spend time collecting all the data and then fill out the somewhat obscure form. You get a response, but it’s a boilerplate totally unrelated to the initial request, so you keep answering until you find a tier 1 rep who can read and do what you initially asked.
ISPD has a form that takes about 2 minutes to fill out. Unfortunately, it goes to an outsourced postmaster team in the Far East and response times are ranging from days to months right now.
ISPE has an email address and if you catch them on a good day, they’re very helpful. Sometimes there’s no response, though.
ISPF has a troubleshooting page and accept requests to fix things, but never respond in any visible manner.
ISPG they tells you to talk to Spamfiltering Company H.
Spamfiltering company H answers their email in a prompt and friendly manner. OK, sometimes the answers are just “wow, your client/customer/IP range is sending lots of spam,” but hey, it’s an answer.
Spamfiltering company I is a useless bag of protoplasm and don’t even answer the email address they give you on their webpages. In a fit of fairness, I have heard they will occasionally respond, but usually that response is to tell you to go pay some apparently unrelated company a bribe to get delisted.
Spamfiltering company J doesn’t have a lot of ways to contact them, but have a lot of folks that participate in various semi-public arenas so if you’re even slightly part of the community, you can email them and they’re very helpful.
Spamfiltering company K is totally useless, but will tell you to have recipients whitelist you.

Read More

GFI/SORBS considered harmful

Act 1Act 2IntermezzoAct 3Act 4Act 5
Management Summary, Redistributable Documents and Links
A little over a year ago the SORBS blacklist was purchased by GFI Software. I had fairly high hopes that it would improve significantly, start behaving with some level of professionalism and competence and become a useful data source, in much the same way that the SpamCop blacklist turned into an accurate, professionally run source of data after they transitioned from being a volunteer run blacklist to a service of IronPort.
GFI’s statement a year ago was:

Read More

Guide to resolving ISP issues

I often get a chuckle out of watching some people, who are normally on the blocking end of the delivery equation, struggle through their own blocking issues. A recent situation came up on a mailing list where someone who has very vehement opinions about how to approach her particular blocklist for delisting and that the lists policies are immutable. The company she works for is having some delivery issues and she’s looking for a contact to resolve the issues.
While digging through my blog posts to see if there was any help I could provide, I realized I don’t have a guide to resolving blocking issues at ISPs. Much of the troubleshooting can be done without ever contacting the ISPs or the blocklists.
Identify the issue.
There are a number of techniques that ISPs use to protect their users from malicious or problematic mail, from rate-liming incoming mail, putting mail in the bulk folder, or blocking specific IP addresses. Step one to resolving any delivery problem is to identify what is happening to the mail. In order to resolve the issue, you have to know what the issue is.
All too often, the description of a delivery problem is: My mail isn’t getting delivered. But that isn’t very clear as to what the actual problem is. Are you being temp failed? Is mail being blocked? Is mail going to the bulk folder? Is this something affecting just you or is it a widespread problem?
Troubleshoot your side.
Collect as much data about the problem as you can. Dig through logs and get copies of any rejection messages. Follow any URLs that are present in the bounce messages. Try sending a bare bones email to yourself at that ISP with just URLs, is it still blocked? What if you send from a different IP, does the same thing happen?
There is a lot of troubleshooting a sender can do without having to contact an ISP, and the information can lead to resolution that doesn’t involve having to contact the ISP. Also, many current ISP blocks are dynamic, they come up and go down without any human intervention. Those blocks that require contact to get them resolved have clear instructions in the bounce message.
Fix your stuff.
Whether it’s a reputation issue or a minor technical issue, fix the problem on your end. Just moving IP addresses or changing a URL isn’t a sustainable fix. There is a reason mail is being blocked or filtered and if you don’t fix that issue, the blocks are just going to come back. After you do fix your stuff, expect to see changes in a few days or a week. The ISP filters are generally quite responsive to sender improvements so if you’ve fixed the stuff you should see changes pretty quickly. Expect unblocking or filtering to take a little longer than the block was in place.
If you can’t figure out what the problem is, hire a consultant. Here at Word to the Wise we can often quickly identify a problem and provide a path to resolution. Sometimes the problem isn’t even the ISPs, we’ve had multiple cases where our clients were using custom software and their software wasn’t SMTP compliant and we were able to identify the problem and get their mail working again. There are a host of other independent consultants out there that can also help you identify and resolve blocking problems.
Contact the ISPs.
If there is a hard block or after fixing what you think the underlying problem is, you’ll have to contact the ISP. Many ISPs provide self service websites and contact forms to facilitate this process. Generally, though, most issues aren’t going to require contact.

Read More