Retest FAQ

Fighting spam by finding and listing Exploitable Servers.

Not Logged in

Login Register

General

Database Check

Help & Support

Home Page

Mailing Lists

SORBS News

Privacy Policy

SORBS Submissions

Using SORBS

Want to help..?

Listing & Delisting

Dynamic IP FAQ

(De)Listing Overview

Proxy Retest FAQ

Relay Retest FAQ

Spam Database FAQ

Vulnerability FAQ

Zombie Netblock FAQ

FAQs and Information

DNS Primer

End User Info

General Q & A

Open Proxy Info

Open Relay Info

SSL Certificates

Securing Mailservers

Spam Fighting FAQ

Sponsor Info

Wiki

Support Request FAQ

Additional Menu

SORBS Admin

Mail/Contact Form

Nemesis BBS

SORBS Projects

SORBS Webmail

iSux Admin

iSux Homepage

iSux Projects

iSux Webmail

Webmail

Introduction

This page is to give information about getting proxy servers and open relay servers retested.

If you are listed in the spam, zombies, DUHL, or hacked server databases this page is not for you!

Unless you are accessing one of the Open Relay or Proxy Details pages you will not get a retest key.

How to get Re-Tested!

Warning:Whilst the Distributed Denial of Service attacks continue on SORBS it is impossible to retest your machines.

Retesting is currently ENABLED.

Use the host that is blocked to perform all of the steps below. The importance of this cannot be stressed enough. Doing this from any other IP address will not work.
ISP staff, and netblock owners, please see the sections below if you cannot use the listed host.
To be clear, only the IP address that is listed can request a retest key.
You need to get the retesting key from the Support page.

Enter your details and then look up your IP address.
Click the 'More..' button this will give you the 'Information' page.
Click the 'Get Key' Button.
Important Note: If you are not using the host that is listed you will not see the 'Get Key' button.
Click the 'retest' link, this will give you a key string.

Send a mail to retest@stealth.sorbs.net with the Subject: line set to the key you have just received (no quotes necessary).
When you receive the confirmation key, send a second message by following the instructions in the message.
Wait patiently for the retest to complete, and recheck your entry periodically.

Notes:

The keywords "key="; and "confirm=" at the beginning of the keys are part of the keys, and need to be included in the Subject of the retest request e-mail.

Immediately after the confirmation is received, the IP address will be retested. If the test finds that the open proxies or relays (as applicable) are gone, the proxy listing for that IP address is marked as "inactive and not flagged to be published". The system will then periodically test the host to ensure it is not just temporarily unavailable.

If the retest indicates that there still are open proxies or relays remaining, the IP address will automatically be flagged active and to be published in DNS.

If the host does NOT fail the tests, the 'last seen time' will NOT be updated. This value indicates the last time the entry was tested and confirmed open.

My host has been fixed and I have been retested clean, why am I still in the DB...?

SORBS sets a 'block' flag in the database rather than removing the entry. This ensures that recurring hosts are tracked. They will become more and more difficult to remove from the database the more often they are tested and found to be open.

Database entries are purged after 'n' years of no activity, where 'n' is the number of re-activations after retests showed the host to be clean.

My address entry shows 'inactive and not flagged' but I still see an entry in DNS, why...?

Because of load issues with DNS based blocklists, SORBS sets the Time to Live on each positive entry to two days. This means that the DNS server you queried will hold the entry for 2 days, even when it has already been removed from the SORBS database.

Yes, it will cause you pain that neither you nor SORBS can control. However, maybe that will be pain enough to ensure that you don't end up back in the database.

Why is it a pain in the butt to use...?

Simple, it is to stop spammers unlisting open hosts so they can use them for spamming. It is also to ensure that the owner of the blocked IP address doesn't just block the tester to get unlisted, then reopen the server later. It also ensures the owner of the IP address will only request removal after the open relay or proxy server has been closed.

I cannot access the web page from the listed host, what do I do...?

This situation usually occurs when you are a representative of the Internet service provider that owns the network.

For such cases, we do provide a way to get retesting keys by email. First of all, the IP address has to have a reverse DNS name. If there is no reverse DNS name for the IP address, this procedure will not work.

The key request email can only be sent from certain email addresses. The valid email addresses are determined by the domain indicated in the reverse DNS name of the IP address. The primary valid email address for this purpose is the DNS SOA (Start of Authority) address for that domain. The secondary valid email addresses are whatever you registered with abuse.net for this domain. If you did not register anything yet, it is "postmaster@that domain".

Please see abuse.net for more information about registering contact addresses.

If all of this is in order, you may mail keysreq@sorbs.net from one of the authorised email addresses, and the system will then send a set of keys back for each IP address that you requested keys for.

The format of the mail should be:

To: keysreq@sorbs.net
From: <your email address>
Subject: Key request.

keys for ip: address 1
keys for ip: address 2
...
keys for ip: address n

If the mail is in any other format, or the sending email address is not one of the authorised ones, you will not get a reply. Please wait at least 60 minutes before assuming something is wrong, though.