General
Listing & Delisting
HowTos, FAQs & Information
|
|
Introduction
|
The SORBS DNSBL is just list of numbers, nothing more, nothing less.
The significance of these numbers is that they are related to hosts
on the Internet whose condition/settings have included the particular
vulnerabilities which we seek to eliminate, i.e. open relays, open
proxies, etc.
As a prospective user of the SORBS lists the most important question
you need to ask yourself is: Do I understand the listing criteria
for the list(s) I plan to use?
Then, you have a number of choices/decisions to make:
- How aggressive at stopping spam do you want to be?
- Do you want to trust the SORBS admins as well as a testing script?
- Do you trust the scripts the SORBS admins employ to identify badly configured hosts?
- Do you run your own mailserver?
- Do you run your server for other people?
- Do you want to reject email or just flag it as spam?
In addition to the above you also have to consider how much load you
are going to put on the servers, including the SORBS DNS server.
For large or busy sites please see the information
for large sites.
|
|
How do server administrators use SORBS...?
|
Server administrators may use SORBS by querying the server directly using their mailserver's features.
Configurations for common mailservers are:
|
|
Zones Available
|
dnsbl.sorbs.net - Aggregate zone (contains all the following DNS zones
except spam.dnsbl.sorbs.net)
http.dnsbl.sorbs.net - List of Open HTTP Proxy Servers.
socks.dnsbl.sorbs.net - List of Open SOCKS Proxy Servers.
misc.dnsbl.sorbs.net - List of open Proxy Servers not listed in
the SOCKS or HTTP lists.
smtp.dnsbl.sorbs.net - List of Open SMTP relay servers.
web.dnsbl.sorbs.net - List of web (WWW) servers which have spammer
abusable vulnerabilities (e.g. FormMail scripts)
Note: This zone now includes non-webserver
IP addresses that have abusable vulnerabilities.
new.spam.dnsbl.sorbs.net - List of hosts that have been noted as sending
spam/UCE/UBE to the admins of SORBS within the last
48 hours.
recent.spam.dnsbl.sorbs.net - List of hosts that have been noted as sending
spam/UCE/UBE to the admins of SORBS within the last
28 days (includes new.spam.dnsbl.sorbs.net).
old.spam.dnsbl.sorbs.net - List of hosts that have been noted as sending
spam/UCE/UBE to the admins of SORBS within the last
year. (includes recent.spam.dnsbl.sorbs.net).
spam.dnsbl.sorbs.net - List of hosts that have been noted as sending
spam/UCE/UBE to the admins of SORBS at any time,
and not subsequently resolving the matter and/or
requesting a delisting. (Includes both
old.spam.dnsbl.sorbs.net and escalations.dnsbl.sorbs.net).
escalations.dnsbl.sorbs.net - This zone contains netblocks of spam supporting
service providers, including those who provide
websites, DNS or drop boxes for a spammer. Spam
supporters are added on a 'third strike and you are
out' basis, where the third spam will cause the
supporter to be added to the list.
block.dnsbl.sorbs.net - List of hosts demanding that they never be tested
by SORBS.
zombie.dnsbl.sorbs.net - List of networks hijacked from their original
owners, some of which have already used for spamming.
dul.dnsbl.sorbs.net - Dynamic IP Address ranges (NOT a Dial Up list!)
rhsbl.sorbs.net - Aggregate zone (contains all RHS zones)
badconf.rhsbl.sorbs.net - List of domain names where the A or MX
records point to bad address space.
nomail.rhsbl.sorbs.net - List of domain names where the owners have
indicated no email should ever originate from these
domains.
Note: The web.dnsbl.sorbs.net domain includes infected Nimba and
Code Red hosts, as well as hosts that contain FormMail scripts, or other known
exploits that allow a remote user to use that host to sent/relay spam.
Exploits that include guessing passwords will not be included. Where possible,
servers will not be exploited in the process of testing.
|
|
SORBS Return Codes
|
SORBS returns 127.0.0.x codes to indicate which database the test result was obtained from.
If you use the aggregate zone, the return codes will still reflect the specific database(s) from which the results have been obtained.
e.g. If 4.3.2.1.socks.dnsbl.sorbs.net returns 127.0.0.3
then
4.3.2.1.dnsbl.sorbs.net would also return 127.0.0.3.
If an IP address appears in more than one database and you query using the aggregate zone, all applicable codes are returned.
e.g. If in addition, 4.3.2.1.http.dnsbl.sorbs.net returns 127.0.0.2
then 4.3.2.1.dnsbl.sorbs.net would return both 127.0.0.2 and 127.0.0.3
Return codes are:
http.dnsbl.sorbs.net 127.0.0.2
socks.dnsbl.sorbs.net 127.0.0.3
misc.dnsbl.sorbs.net 127.0.0.4
smtp.dnsbl.sorbs.net 127.0.0.5
new.spam.dnsbl.sorbs.net 127.0.0.6
recent.spam.dnsbl.sorbs.net 127.0.0.6
old.spam.dnsbl.sorbs.net 127.0.0.6
spam.dnsbl.sorbs.net 127.0.0.6
escalations.dnsbl.sorbs.net 127.0.0.6
web.dnsbl.sorbs.net 127.0.0.7
block.dnsbl.sorbs.net 127.0.0.8
zombie.dnsbl.sorbs.net 127.0.0.9
dul.dnsbl.sorbs.net 127.0.0.10
badconf.rhsbl.sorbs.net 127.0.0.11
nomail.rhsbl.sorbs.net 127.0.0.12
|
|
Additional Aggregate Zones
|
SORBS also provides other aggregate zones as follows:
Zone Name Zones Included
========= ==============
dnsbl.sorbs.net http.dnsbl.sorbs.net
socks.dnsbl.sorbs.net
misc.dnsbl.sorbs.net
smtp.dnsbl.sorbs.net
new.spam.dnsbl.sorbs.net
recent.spam.dnsbl.sorbs.net
escalations.dnsbl.sorbs.net
web.dnsbl.sorbs.net
dul.dnsbl.sorbs.net
block.dnsbl.sorbs.net
zombie.dnsbl.sorbs.net
safe.dnsbl.sorbs.net http.dnsbl.sorbs.net
socks.dnsbl.sorbs.net
misc.dnsbl.sorbs.net
smtp.dnsbl.sorbs.net
new.spam.dnsbl.sorbs.net
web.dnsbl.sorbs.net
block.dnsbl.sorbs.net
zombie.dnsbl.sorbs.net
dul.dnsbl.sorbs.net
problems.dnsbl.sorbs.net http.dnsbl.sorbs.net
socks.dnsbl.sorbs.net
misc.dnsbl.sorbs.net
smtp.dnsbl.sorbs.net
new.spam.dnsbl.sorbs.net
recent.spam.dnsbl.sorbs.net
old.spam.dnsbl.sorbs.net
escalations.dnsbl.sorbs.net
web.dnsbl.sorbs.net
block.dnsbl.sorbs.net
zombie.dnsbl.sorbs.net
relays.dnsbl.sorbs.net http.dnsbl.sorbs.net
socks.dnsbl.sorbs.net
misc.dnsbl.sorbs.net
smtp.dnsbl.sorbs.net
proxies.dnsbl.sorbs.net http.dnsbl.sorbs.net
socks.dnsbl.sorbs.net
misc.dnsbl.sorbs.net
|
|
Additional Zones such as (A)SPEWS...
|
In addition to providing the SORBS zones, SORBS also makes the ASPEWS and SPEWS data available by DNSbl lookup.
As the policy of SORBS (and one of the reasons for creating SORBS) was the publishing of data that is fully
under SORBS control, the ASPEWS and SPEWS zones are not included in the SORBS aggregate zone. This is the same reason
why SORBS does not present other DNSbls' data.
For those wanting the ASPEWS or SPEWS data by simple DNSbl lookup, SORBS provides the following zones as a courtesy:
l1.spews.dnsbl.sorbs.net - SPEWS Level one listings
l2.spews.dnsbl.sorbs.net - SPEWS Level two listings
aspews.ext.sorbs.net - ASPEWS Listings
Return codes for these zones are 127.0.0.2
Note: The SPEWS Level two zone contains all the level one data - you do not need to query
both if you are treating the data the same way.
If you were using APEWS via SORBS, sorry we have discontinued distribution of this list n the SORBS DNS servers.
|
|
Information for large sites
|
|
Large sites (100k users or more, or more than 5 messages per second sustained),
please contact SORBS staff about getting local copies of the database before using SORBS. You may request
a local copy of the SORBS data by using the transfer request page, or
or by using the Mail/Contact Form at: http://www.au.sorbs.net/cgi-bin/mail.
|
|
