Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: SORBS.NET - email RBL issues - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
SORBS.NET - email RBL issues

The email RBL service at sorbs.net seems to be having issues.  Christopher alerted us to the issue yesterday around 4pm EST - his servers were blocking all inbound mail from google and yahoo based on the sorbs database.  At the time we ran  a few queries, it seemed to be more of a database problem than an actual blacklist entry.  Since then it seems to have gotten worse, the main sorbs.net website is down as well. 

Two points:

1/ Tactically, if you are using sorbs.net to filter your email, you probably will want to temporarily modify your configs until they are back and in good health

2/ Strategically, putting all your eggs in one basket for anything in IT is not great.  Always architect core services so that they'll work if one component or another fails - everything breaks sometime, that's just life in IT.  Personally, I don't put a lot of faith in RBL services, but if I do use them for a client, normally I'll configure several of them (or at least 2), or even better, use the input from the RBL as only one factor in the "is it spam?" question that we need to ask for every inbound email. 

************** UPDATE ******************

It looks like this service was under a DDOS attack, they expect to be fully back in a few hours (as of 2:45-ish EST)

*******************************************

=============== Rob VandenBrink Metafore ===================

 

Rob VandenBrink

489 Posts
ISC Handler
Which "sorbs" are we speaking about. My mail servers are not blocking any more than usual from au.sorbs.net
Anonymous
We have experienced a DDoS attack today which was 'smart' we have mitigated it so the site is now operational if a user waits about 10-15 seconds for the response.

We have had reports that we have a database corruption, there is no evidence of that but to be safe we have emptied the DNS zone files and the rsync files until we can check the database for any possible errors. We expect this to be complete within 24 hours.

Michelle
Anonymous
We had several IPs in our static block getting rejected for being on the Dynamic IP lust (dul.dnsbl.sorbs.net), and more started getting rejected for being on smtp.dnsbl.sorbs.net, but they all seem clear at the moment.

Having multiple RBLs in use is fine, but if an RBL has problems in a way that causes incorrect rejections then it doesn't matter if you use just one, unless as said it is only one factor in the decision - but a lot of configs will reject if ANY RBL gives a rejection.
Anonymous
Same for us, we have been rejected by duhl since yesterday 20:00 CET with our entire network (static one, for sure).
We seem to be cleared for an hour by now, lets see if we get listed again if the zone files get filled up.
Horrible failure, thousands of mails have been rejected. Can't imagine what trouble this has brought to the big service systems like gmail, who have been affected as well.
Torsten

3 Posts
Yeah, same here. Our company cannot email suppliers anymore!
Torsten
1 Posts
The problem we experienced was that 127.0.0.1 was listed in smtp.dnsbl.sorbs.net (and the aggregate zone). This was causing sendmail all sorts of problems.
Torsten
2 Posts
The problem we experienced was that 127.0.0.1 was listed in smtp.dnsbl.sorbs.net (and the aggregate zone). This was causing sendmail all sorts of problems.
Torsten
2 Posts
Problem located (not the 127.0.0.1 issue) and is being resolved. More of an update when we locate the originating cause, but it appears the migration from SORBS1 to SORBS2 was to blame for the actual listing problems.
Torsten
3 Posts
Problem located. Historical entries were migrated as current (historical is not identical to 'previously delisted' but the effect is the same.)

Database export still suspended whilst the problem is corrected.

I expect normal operations to resume within a few hours.

Michelle
Torsten
3 Posts
between this incident, SORBS removal process, their dead-slow website and self-signed SSL cert - I dropped their service, plenty of other RDNSBLs to use out there.
Chavez243

15 Posts
between this incident, SORBS removal process, their dead-slow website and self-signed SSL cert - I dropped their service, plenty of other RDNSBLs to use out there.
Chavez243

15 Posts
As many others, well.
Thanks for the statement of the causing error anyway.

Probably you have not been under (d)dos, maybe it just was the high amount of requests of users which klicked the sorbs.net/lookup thing located in their rejected emails ;-)

Hopefully the admins out there recognize by now that dropping emails because of one hit to sorbs or any other rbl just isn't a good idea. Because every single one of them can have errors like this at any time.
Torsten

3 Posts
Can someone at SORBS truly say that listing problems have been solved?

We are a hosting service provider and have a /23 netblock which the Database Check shows has been removed from the DUHL list and the Delisting page suddanly shows the current status as Listed.

This does not look like a solved problem. We have hundreds of thousands of e-mail users struggling with this issue still :/

@SORBS Is there a way to get a human looking at issues? We've filed a ticket, but no reaction.
Torsten
1 Posts
Michelle,
If its fixed as you say, why were IP's re-added to the list that were removed weeks ago. Our server was added weeks ago when we changed service providers. We jumped through all your hoops from TTL to rDNS naming conventions (how are you deciding whats appropriate rDNS naming conventions are? You own the Internet Now?) to finally be removed from the database. Starting last Tuesday morning Oct 5th, we were re-added. Why? Why are their not humans responding to peoples problems? If there was a database failure, why are you not removing the re-added IP's that were removed?
Torsten
2 Posts
We are still on the list as of Oct 9th. I too ran into the problem of not being able to create a user account on the Sorbs website to even have the IP delisted. Its a joke, with absolutly no customer service what-so-ever.
Torsten
2 Posts
Michelle,

Can you please help us? Several of our Ip's are listed with you and we can not login to your site to delist. We also sent $50 each to the joey vs T3 paypal address and have not seen any movement form you. Even yuor webiste contact form is not working. This is hurting our business very badly. We have always had resepct for your organization, but to list and have no way to delist, even when someone pays is kind of crazy. Please help us out here.
Torsten
1 Posts

Sign Up for Free or Log In to start participating in the conversation!