Date: Sat, 12 Feb 2005 03:18:17 -0800 From: "Ted Mittelstaedt" <tedm@toybox.placo.com> To: <cpghost@cordula.ws>, <freebsd-questions@freebsd.org> Subject: RE: mx2.freebsd.org in SORBS, AGAIN! Message-ID: <LOBBIFDAGNMAMLGJJCKNMEGDFAAA.tedm@toybox.placo.com> In-Reply-To: <20050212042318.GA34223@fw.farid-hajji.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of > cpghost@cordula.ws > Sent: Friday, February 11, 2005 8:23 PM > To: freebsd-questions@freebsd.org > Subject: mx2.freebsd.org in SORBS, AGAIN! > > > Hello, > > for some reason, mx2.freebsd.org is being repeatedly added to, > and some days later removed from the SORBS dnsbl. They keep > adding it, and then removing it with a reason: Listed in error. > Right now, it's listed again. > > >From their DB page http://www.dnsbl.us.sorbs.net/lookup.shtml > > Database of servers sending to spamtrap addresses > Address: 216.136.204.119 > Record Created: Mon Jan 31 10:14:47 2005 GMT > Record Updated: Thu Feb 10 04:59:33 2005 GMT > Additional Information: Received: [email] > Currently active and flagged to be published in DNS > > This is going on for many days now, and the only workaround > (or solution?) is to avoid SORBS until they fixed that problem > for good. > > Does anyone know what's going on there? > A spammer is forging several of SORBS spamtrap e-mail addresses on their outgoing spams. The spams hit freebsd.org which of course is bouncing them back to the sender, which is in this case is the spamtrap e-mail addresses. This triggers the SORBS autolisting. I don't know if the spammer knows that they have stumbled over a SORBS spamtrap address or not. They probably have figured it out by now, though, and are now deliberatly attacking SORBS by repeatingly sending out spams with the forged spamtrap address. The goal of course is to do EXACTLY as you are advocating - to get people to stop using SORBS. If enough people do this then SORBS becomes ineffective and we have just lost one more blacklist. If your using sendmail, you should be able to workaround this by putting the freebsd.org mailserver's IP address in your access.db file, that should override the lockout check. (assuming your using sendmail to call SORBS) If your using SORBS from SpamAssassin, then you can whitelist the freebsd mailing list traffic. If this is the case it will be very difficult for the SORBS operators to figure out which ones of their honeypots have been compromised, if the spammer knows what they are doing. I personally don't use SORBS on my mailservers, but not because I don't think they are a good blacklist. I really don't know enough about them to know if they are good or not. However I do run a script that examines the counts of mail blocked by blacklist servers, and I periodically review them and prune away the blacklist servers that appear to be ineffective. I would suggest that you do the same and use the results of this to determine whether to continue using SORBS. Ted
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?LOBBIFDAGNMAMLGJJCKNMEGDFAAA.tedm>