This page is to give information about getting servers listed as virus senders de-listed.

If you are listed in the spam, zombies, Hacked, DUHL, Open Relay, or Open Proxy server databases this page is not for you!

Unless you are accessing one of the Details pages using the listed host you will not get any further.

How did I get listed?!?
Quite simply you delivered spam to a SORBS spamtrap and analysis on that spam found it to be a virus infected email.

Unforunately this means that if you are just a relay for your users (e.g. you're an ISP) and are not scanning for viruses on your outbound mail servers you will also get listed from time to time.

Note: For those that say scanning out bound mail for viruses is not possible, SORBS uses two single CPU servers to scan all emails received on the spamtraps to:
  • Receive Emails
  • Extract Email content
  • Extract verify the checksums of the content
  • Extract attachments from the embedded content
  • Use ClamAV to virus scan the attachments and if not a virus...
  • Send the attachments off to VirusTotal for scanning (using WebService::VirusTotal)
  • Send the attachments off to Emerging Threats for scanning
  • Wait for results from VirusTotal and Emerging Threats
  • Extract all URLs from the embedded content
  • Connect to a remote database and post all the results in multiple-tables.
These two servers handle approximately 1.2 million emails per day and rarely exceed 50% CPU usage at any one time.

My host has been fixed and I have been re-tested clean, why am I still in the DB...?
SORBS sets a 'block' flag in the database rather than remove the entry. This ensures that reoccuring hosts are tracked and so they will become more and more difficult to remove from the database, the more they are tested open.

Database entries are purged after 'n' years of no activity. Where 'n' = number of re-activations after re-tests showed clean.

My address entry shows 'inactive and not flagged' but I still seen an entry in DNS, why...?
Because of load issues with DNS based block list SORBS sets each positive entry to a 2 day TTL, this means that DNS you queried will hold the entry for 2 days, even when it has been removed from the SORBS database.

Yes, it will cause you pain that neither you nor SORBS can control, however maybe that will be enough pain to ensure that you don't end up back in the database.

How do I get delisted?
Simple, use Delist an IP Address button from the listed host to self delist. If you are unable to use the IP address, use the same form an submit a support ticket where the robots will normally delist your host if you have waited at least 24 hours from the intial listing.

If you are an ISP you may register for Manager Access which will give you more direct access to the listings within your delegated networks.

Copyright © 2002-2023 by SORBS | Terms & Conditions | Privacy Policy