[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1074
  • Last Modified:

black listed at sorbs.net

I have a dedicated server where I host a few small websites.

Just lately I have been having some emails blocked. I investigated by going to www.mxtoolbox.com and see there that the server is on a blacklist at sorbs-spam

If I go to http://www.sorbs.net/lookup.shtml the connections seem to take ages.

I thought it might be as well to register. I went to https://www.sorbs.net/scgi-bin/login and get an error message

There is a problem with this website's security certificate.
   
 The security certificate presented by this website was not issued by a trusted certificate authority.

Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.  
  We recommend that you close this webpage and do not continue to this website.  
  Click here to close this webpage.  
  Continue to this website (not recommended).  

I am wondering if there is any way I can find out why I am blacklisted and what I can do to correct the situation.

Many Thanks

John
0
johnhardy
Asked:
johnhardy
  • 13
  • 13
  • 4
  • +1
3 Solutions
 
KorbusCommented:
I somehow seemed to get it to work at this address:
http://www.au.sorbs.net/cgi-bin/support

(notice the au)
Thats pretty bad on thier part :(
0
 
johnhardyAuthor Commented:
Thanks Korbus
I tried to register on this page but received the error

This web page is not available
The web page at https://www.secure.sorbs.net/?uid=&pass=&return=http%3A%2F%2Fwww.au.sorbs.net%2Fcgi-bin%2Fsupport&action=Register might be temporarily down or it may have moved permanently to a new web address.
Here are some suggestions:
Reload this web page later.
Error 7 (net::ERR_TIMED_OUT): The operation timed out.

I will try again later
0
 
johnhardyAuthor Commented:
I further tried to register but receive this warning. Pls see image
Thanks
John

 Sorbs-Server-Error
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
KorbusCommented:
Hi John,

I'm shocked that they do not have a trusted certificate.  I also scoured thier website for contact information: none!  Though it's working better today, the site was definately having trouble yesterday, it was NOT you.

This security message indicates that altough they have a certificate, they probably created it themselves, rather than using a tursted authority (perhaps for $$$ reasons?)

If you are going to be punching in your compnay name and server's IP, I wouldn't sweat that warning too much.  But, I WOULD advise against putting any Credit Card or other sensitive information in there.

0
 
johnhardyAuthor Commented:
Thanks Korbus
I also Contacted MXtoolbox.com on page http://www.mxtoolbox.com/BlacklistSuggestions.aspx?ip=217.174.xxx.x they have help page but they have not answered as yet.

0
 
aleghartCommented:
Michelle/Matthew Sullivan runs that list.  There have always been funding and connectivity issues, as well as some attacks.  The mailing list has been pretty quiet for years, maybe one post a month, if that.

Trying to hit www.Sorbs.net has been 50/50 just to load the first page (from California).  So, could be another DDOS attack or connectivity issue.

IIRC, GFI worked a buyout, but I don't know if the site is still being run by Michelle.  They're supposed to be pumping a little money into it and expanding to multiple data centers to make the service less prone to outage or reduced service.
0
 
Ron MalmsteadInformation Services ManagerCommented:
Sorbs is a scam company, and they have been the subject of numerous lawsuits since their inception.

How they managed to get their extortionist "service" hard coded as default into so many brand name firewalls (ie Sonicwall, Linksys)  ...is beyond me.

Read this.
http://www.experts-exchange.com/Networking/Protocols/Application_Protocols/Email/SMTP/Q_24767600.html

0
 
johnhardyAuthor Commented:
Thanks for all the information.
I am not clear what I can do next. I am still apprehensive about proceeding past the security warning that appears if I start the registration process.

Are there any suggestions how I can get off this list please?
0
 
aleghartCommented:
The website forms have always been the standard process.

Did you check the signing on the cert?  Self-signed, probably.  Nothing should be entered into _any_ forms that aren't already public or semi-public info anyway.

IIRC, it was a self-signed cert the first time I registered.  Some RBL sign-up forms say that the alternative is an HTTP page with no SSL, so I'd pick the self-signed cert over that.
0
 
aleghartCommented:
Yep, I just looked.  It's the same self-signed cert with the same page explaining it.  Nothing nefarious there.
0
 
Ron MalmsteadInformation Services ManagerCommented:
This is probably not what you want to hear, but, I had to threaten legal action to SORBS admins before they would delist me without paying the "fine".  It took nearly a month to resolve the issue.

...that was then and this is now, so hopefully they've changed their ways, but somehow I doubt it.

After that fiasco I took sorbs off of all my firewalls.... and now if someone tells me they can't get my email because of SORBS I consider it to be their problem, not mine.
0
 
Ron MalmsteadInformation Services ManagerCommented:
The self signed cert is not nefarious .. but it is strange for them not to have a paid ssl cert.  You don't expect to see those warnings on what are considered well known sites.
0
 
aleghartCommented:
Well known doesn't correlate to funding.  There have been many instances where server space or bandwidth was lost.  In 2009, the site was facing permanent shutdown until GFI came along.

It would cost thousands of dollars to get commercial SSL certs for all of the servers.  Getting a single GoDaddy-type cert for under $50 wouldn't cut it.  That would be more of an issue to me than using self-signed, and publicly documented, certs to reduce the operating overhead.

RBLs are run by the algorithms and sometimes whims of the operators/admins.  None are 100% clean, 100% fair, or 100% available.  That's why most admins, firewalls, mail servers, etc. use multiple lists in a scoring hierarchy.

Like you said, any mail admin who is bouncing your mail due to a single hit on _one_ list has the problem.  That's overly paranoid, unless it's your personal mail server.  Then, anything goes...kind of like the RBLs.  My server, my rules.
0
 
johnhardyAuthor Commented:
I entered to site, completed the application form and have heard no more from sorbs.

It seems that a lot of the site just does not work, there is a de listing link but it doesnt work and there are pages there just full of rubbish like a page devoted to the thoughts of a server eg

Two weeks of information underload,
and then *pffftt*, consigned to the trash.
What kind of a life is that?
They won't even upgrade my hardware..
The diodes down my left side are hurting again..
They won't replace them you know..
Now, please leave me, I just want to be alone for a while.
I'm so depressed...._
I found it on https://www.au.sorbs.net/tools/spam
I just dont know what to do next. Seems criminal that someone can arrange a setup that can ruin a business for no good reason

0
 
aleghartCommented:
....Seems criminal that someone can arrange a setup that can ruin a business for no good reason

A single RBL cannot ruin a legitimate business.  That's a common whine that usually comes from spammers.

If your customers are using a single RBL to completely block SMTP relay, then call the customer or the mail server admin and advise them that the RBLs are designed for scoring, not for binary on/off switches.

If you have no rapport with your customers, and/or you are appearing on several lists at once...then don't blame it all on the RBL.  There is something missing in the business relationship.  I had a client contact us and tell me which way was up when I configured an RBL filter to block her whole ISP.  She was right to be annoyed, and I fixed it the same day.

Similarly, if your IP address falls in a netblock that is problematic, or has been declared as "SMTP not allowed" by the ISP controlling the addresses, then a legitimate business can route SMTP traffic through another IP address or another server.

I have several possible routes for outbound traffic.  None are listed in an RBL.  If one were, I could relay through others.

If you haven't made, or refuse to make, a backup plan, then it's designed to fail.

If you don't already have alternate networks available, you can rent SMTP services.  They used to be cheap.  But now they're a bit pricey because of the policing that must take place to stop spammers (who claim to be legit) from plunking down a credit card and ruining a block of IP addresses.

I've been listed a few times  after workstation infections spewed hundreds or thousands of emails.  I've also been listed because an ISP incorrectly listed an IP address as residential.  The delays were non-existent, or lasted a couple of days, during which time we relayed SMTP traffic through the ISP relay or a 3rd-party rented service until things were running again.
0
 
Ron MalmsteadInformation Services ManagerCommented:
Aleghart,

Maybe it's not RUINING his business but surely it's causing a disruption and disruptions mean dollars lost.

....you are saying that it's his fault that he didn't spend extra money for extra backlinks and networks and alternate smtp relay...foreseeing this disruption in his communications because of SORBS ??

wow...

I think he has plenty of reason to be irritated by this, especially since SORBS doesn't maintain their process for requesting removal.  Their site is BROKEN !...for like 2 years now !

Let me say it again...
SORBS is a SCAM company.

"Joey" the fake admin from Australia should be in jail.
0
 
aleghartCommented:
Irritated, definitely.  I was spouting obscenities like Yosemite Sam when my mail queue started backing up and I was getting phone calls and emails asking why, and how soon would it get fixed.

If your business relies 100% on email through a fragile single-path system, then there should be an admin who can fix it, or at least a backup plan.

Or, the first time it happens, you'll have to figure it out quick.

An RBL admin has zero reason to hop around for anyone.  A list is just a list.  There are thousands of entries to be updated daily.  The queue will never end.  And...as many RBL admins have said...if you can't follow the instructions, don't blame me.  Then, they get all preachy, or tell you to buzz off and try again.

I get it.  Irritating.  And the site sucks.  And Michelle is not the most gracious if you ever manage get an email response.  I've been getting the update emails for 5 years or so, and there's little patience...especially considering their "system" is SLOW.

---100% agree---


But I see the complaints all the time how one single RBL ruined a legitimate business, and lawsuits are coming, and the list is evil, and it's a free world/internet...so stop blocking my legitimate spam.

That detracts from an argument for getting faster reponses to a de-listing request.

So:

1. web site slow, or not loading - could be connectivity, servers down, DDoS attack, or combination therof

2. lack of SSL a bit scary - but clearly documented for years now

3. lack of communication from RBL admin - this part sucks; could be #1, but could just be a long queue of requests

But, throwing random nonsense like "ruin" and "evil" and "bad poetry" are nothing but distractions.  Stick to the complaint....I want to be delisted.

There's no conceivable way I can see a single RBL taking out a properly designed (or even half-adequate) email system.  If you can explain how that can happen, I'll understand.

I fall into that "half-adequate" description.  If there's a problem, I'll fix it or re-route the traffic...or call/hire someone to help out.  It's the internet.  There are bumps in the road.  You have to learn to deal with it without declaring the entire universe evil.
0
 
johnhardyAuthor Commented:
Thanks for all of the pointers and comments.

I do not have the expertise that is clearly shown here.

I would like to get delisted from sorbs but this seems impossible as their present web site does not seem to allow this.
or call/hire someone to help out
any pointers where this can be done may assist.


0
 
aleghartCommented:
Did you complete the registration process to get an account?  Ironically, the confirmation email they send gets filtered out as spam by Gmail's mail servers, so look there.  There is a confirmation link you must click/follow for their system to finish setting up the account.

That's all moot if the site is not responding, or if the admins are slow to help, so I'd move to the next step anyway.

Do you know how email traffic works?  If not, then ask for help on that.  I don't see how one RBL entry can actually block all of your email, so you'd have to explain how that is happening.

If you're just complaining about being on a list...well, over half the world are on RBL lists.  Most residential or low-end business users are listed as IP addresses without SMTP server priveleges.  That's expected, and normal.

Your mail service should have a specified outbound SMTP relay.  Where is that relay?  Is it on a network that's allowed to send SMTP traffic?  Does it have an IP address that appears on RBLs?

0
 
johnhardyAuthor Commented:
Thanks aleghart
I will try to explain where I am with those items.
Not all emails are blocked. Some get through others are rejected quickly

I first realised something was wrong when a client paid for an ebook via paypal and the complained he had not received the ebook via email even though it was sent

It seems that not all servers issue a rejection notice so I am not sure who receives and who does not. This will also apply to other web sites I host on that server.
Then I started seeing the other rejections and messages.

I was using mail.mydomain.co.uk for the smtp outbound but have changed that to mail.btconnect.com now but I dont suppose that makes any odds
Does it have an IP address that appears on RBL
Sorry aleghart I dont understand that last question.

0
 
aleghartCommented:
The outbound relay would be the concern, not where your website or home or office is.  If you are using your internet service provider's mail relay, then you can't do anything.  You need to contact them and tell them your mail is being bounced because _their_ IP address is listed on an RBL.

I don't issue rejection notices that state what RBL is used, so I don't understand how a rejection notice = a problem with an RBL.

What exactly did the rejection notice say?  If you're posting here, please obscure any private information like email addresses.
0
 
johnhardyAuthor Commented:
This was received as an attachment to a rejected email

Reporting-MTA: dns;mail.xxxx.co.uk
Received-From-MTA: dns;xxxxpc2
Arrival-Date: Sun, 8 May 2011 10:25:24 +0100

Final-Recipient: rfc822;yyy.zzz101@gmail.com
Action: failed
Status: 5.5.0
Diagnostic-Code: smtp;550-5.7.1 [217.174.241.1 1] Our system has detected an unusual rate of
550-5.7.1 unsolicited mail originating from your IP address. To protect our
550-5.7.1 users from spam, mail sent from your IP address has been blocked.
550-5.7.1 Please visit http://www.google.com/mail/help/bulk_mail.html to review
550 5.7.1 our Bulk Email Senders Guidelines. k42si11157751eek.75
0
 
aleghartCommented:
The originating IP address comes from: Fasthosts Internet Limited

Nothing you can do about de-listing form SORBS, since the IP address doesn't belong to you.  Contact your account manager or tech support to file a ticket about that.  But it's a minor issue or non-issue from the viewpoint of this problem.

The error appears to be a Gmail bounce from a Google mail server?  Trust me, they don't use an RBL like SORBS for their primary scoring system.  Nor do they use only one positive score to boot a mail connection.

If your web site is scripting an automated email, then check with your hosting provider for the proper SMTP relay address to use.  Many web hosting accounts cannot use the web host to send out mail.  It must be relayed through another SMTP server.

Are you trying to send mail from your web server?
0
 
johnhardyAuthor Commented:
Thanks for the valued advice.

Are you trying to send mail from your web server?
Would that be where the email account outbound entry  on this machine is set to mail.xxxxx.co.uk. If so yes I have used that and so have some websites hosted on the server.

I have raised a ticket with fasthosts.

A couple of images that look interesting I attach below.
 Sorbs MXToolbox
0
 
aleghartCommented:
>Would that be where the email account outbound entry  on this machine is set to mail.xxxxx.co.uk.

What is "this machine"?  Your personal computer?  A server?  The webhost's server?

>If so yes I have used that and so have some websites hosted on the server.

In a shared hosting environment there are generally three different types of servers: web, database, mail.  If your web server needs data, it calls a database server.  If the web server needs to send mail, it relays out through a mail server.

Web servers can sit in a block of IP addresses that have been designated as "no SMTP allowed".  Which means that they shouldn't be sending mail directly.  They should relay through an SMTP relay.

I don't know what you're trying to show with these images.  Are we back to the RBL again?  All that says is that their database shows a spam report for that IP.  Has nothing to do with the name of your domain.  For all you know, you could be one out of 100 or 200 "domains" parked at that IP address.

I don't see the relevance to Gmail bouncing based on your IP address.

0
 
johnhardyAuthor Commented:
Sorry for not being clear.
"This machine" is my personal computer where I conduct my business and development web design etc
At fasthosts I rent a dedicated server where the websites are hosted this is a windows2003 server.

Just now another email refused to forward from my PC.

I am attaching an image of this
 
Email error
0
 
aleghartCommented:
1. Are you sending mail through your ISP's SMTP relay, or via your own in-house relay?

2. If in-house, is your IP address allowed to send it's own outbound SMTP traffic, or is it part of a dynamic block?

3. If using the ISP's SMTP relay, then contact the ISP to resolve the bounce issues.  If their primary SMTP relay is black-listed, they could give you another SMTP relay to use until the problem is resolved, or they'll just work on it internally.

I don't understand why you're getting this 550 error from Norton Internet Security...perhaps because you're using an invalid TLD "rs", which points to nothing.

Why are you using dummy email addresses?
0
 
johnhardyAuthor Commented:
Thanks so much for all your help aleghart
I greatly regret I am not sufficiently knowledgeable to answer your questions.

I hope later this week to involve a friend who is more knowledgeable than me to help me understand the terminology I will then be able to answer your questions.

Why are you using dummy email addresses?
If you are referring to 550 error message above they are the correct forwarding addresses for an enquiry email received.
0
 
aleghartCommented:
The 550 error is coming from your anti-virus software.  Norton intercepts SMTP traffic and scans/filters it before passing it through.

In this case, it looks like your anti-virus software stopped it.  Probably flagging it as an unknown address, and possible a virus trying to send out spam.

You need to re-configure your anti-virus software, or send only with your own email addresses (known to the software).
0
 
johnhardyAuthor Commented:
Many thanks for all the help.
I have certainly learned a great deal and much more to go I expect.
Very sorry there's not more points to spread around.

Thanks again
Regards
John
0
 
johnhardyAuthor Commented:
I received an email from Sorbs Support. Thought it would be interesting to read.

Your request appear to have been resolved. If you have any further questions or concerns, please respond to this message.
Please note:

If your IP address has been delisted (marked as 'Inactive'), it will take up to 2 hours to get from the database to all the SORBS DNS servers.  Changes to the database are exported to the DNS zone files periodically, not immediately after every change.  Furthermore, after the updated database contents have been exported to the DNS zone files, it will then take up to 48 hours for the outdated DNS information to be removed from DNS caches around the world - none of these are in SORBS' control.

Please do not reply to this call with problems not related to this ticket or your request will be ignored.
0
 
aleghartCommented:
Sounds pretty standard.  That last line is fair notice to people who just hit 'Reply' to the email instead of logging a new trouble ticket.  Other tech support emails have something similar, as well as email blasts and newsletters.
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

  • 13
  • 13
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now