This page is to give information about getting servers listed as virus senders de-listed.
If you are listed in the spam, zombies, Hacked, DUHL, Open Relay, or Open Proxy server
databases this page is not for you!
Unless you are accessing one of the Details pages using the listed host you will not get any further.
|How did I get listed?!?
Quite simply you delivered spam to a SORBS spamtrap and analysis on that spam found it
to be a virus infected email.
Unforunately this means that if you are just a relay for your users (e.g. you're an ISP) and are
not scanning for viruses on your outbound mail servers you will also get listed from
time to time.
Note: For those that say scanning out bound mail for viruses is not possible, SORBS uses
two single CPU servers to scan all emails received on the spamtraps to:
These two servers handle approximately 1.2 million emails per day and rarely exceed
50% CPU usage at any one time.
- Receive Emails
- Extract Email content
- Extract verify the checksums of the content
- Extract attachments from the embedded content
- Use ClamAV to virus scan the attachments and if not a virus...
- Send the attachments off to VirusTotal for scanning (using WebService::VirusTotal)
- Send the attachments off to Emerging Threats for scanning
- Wait for results from VirusTotal and Emerging Threats
- Extract all URLs from the embedded content
- Connect to a remote database and post all the results in multiple-tables.
|My host has been fixed and I have been re-tested clean, why am I still in the DB...?
SORBS sets a 'block' flag in the database rather than remove the entry. This ensures that
reoccuring hosts are tracked and so they will become more and more difficult to remove from
the database, the more they are tested open.
Database entries are purged after 'n' years of no activity. Where 'n' = number of
re-activations after re-tests showed clean.
|My address entry shows 'inactive and not flagged' but I still seen an entry in DNS, why...?
Because of load issues with DNS based block list SORBS sets each positive entry to a 2 day TTL,
this means that DNS you queried will hold the entry for 2 days, even when it has been removed
from the SORBS database.
Yes, it will cause you pain that neither you nor SORBS can control, however maybe that will
be enough pain to ensure that you don't end up back in the database.
|How do I get delisted?
Simple, use Delist an IP Address button
from the listed host to self delist. If you are unable to use the IP address, use the
same form an submit a support ticket where the robots will normally delist your host if
you have waited at least 24 hours from the intial listing.
If you are an ISP you may register for Manager Access which will
give you more direct access to the listings within your delegated networks.