SORBS Blocklist Reportedly Sold For $451K

palegray.net writes "SORBS, a well-known email blocklist provider, has reportedly been sold for $451k. Early reports indicate an acquisition by GFI, a company specializing in various communications services. In recent years, SORBS has been the target of frequent accusations of mismanagement and poor conduct, leading many to wonder if this turn in events might signal a chance for improved behavior. Citing lack of ISP support, the blocklist released statements earlier this year that they would be shuttering their operation."

Why put up with that?

[causality]

In recent years, SORBS has been the target of frequent accusations of mismanagement and poor conduct, leading many to wonder if this turn in events might signal a chance for improved behavior.

Honestly, that wouldn't make me wonder if SORBS will improve its behavior after an acquisition. No. That would have made me find another blocklist provider a long time ago. Shady/questionable behavior like that goes on only because it's so thoroughly tolerated and often actively supported.

Re:

[burne]

It might block much of your spam, but blocks a lot of legitimate mail too.

Given the availability of better alternatives, SORBS has been 'not an option' for me since like what. 2003 or so?

Re:

[MightyMartian]

It's largely because most people who administrate mail servers are completely and utter idiots. I've had conversations with mail admins who clearly don't even understand how SMTP works.

Blacklists are bad... bad bad bad bad bad bad bad bad bad. Yes, there are better behaved blacklists than SORBS, but they're all bad because filtering relies ultimately on the sensibility of these administrating the filter.

I'm running no filters and just greylisting and I get spam maybe once every few days. The only legit m

Too bad

[Jazz-Masta]

It is unfortunate that SORBS has gotten a bad rap. Although it has been plagued on the administrative side of things, its list was still helpful in detecting and removing spam.

GFI is a good company - but I am betting the list will no longer be free to use. Everything they sell is licenced on a "per mailbox" structure, and as such I imagine the list will be implemented into their anti-spam products. There may also be a nominal fee (per box) to use the list with other spam filters.

Re:

[Anonymous Coward]

GFI sends shivers down my back. I always loathed having to pull up that clunky, outdated, poorly layed out interface to manage our Spam filter. I could have lived with the poor interface if their software actually was proactive in Spam filtering, but it was mediocre at best. It wasn't unusual to come in to the office, only to find that my inbox was full of people complaining about the flood of Spam that made it through our filter the previous night. To make matters worse, their tech support was attrocio

Re:

[nametaken]

Agreed. We moved away from their spam filtering products a couple years ago and picked up a barracuda appliance. The GFI app was such a worthless hunk of crap, we've never looked back.

Re:

[gujo-odori]

Barracuda was a step _up_?!?! Wow, GFI must be really something :p

Re:

[nametaken]

Yup. Why, have you found something that works better than a barracuda appliance?

Right now I might get 1 or 2 spam emails a week with the 'cuda. I haven't had a false positive in 2 years. When we had GFI + RBL's, I'd get about 20+ per day. So... roughly 140 per week down to 1 (sometimes 2). This is not a big company, roughly 3,000 emails per day across all users.

Re:

[thijsh]

[quote]Although it has been plagued on the administrative side of things[/quote] SORBS administrators (or other participants) plagued anyone who is just kindly informing about their list. In my experience they are uncoöperative, arrogant and some are even sadist BOFH kind of people why get their biggest kick out of tormenting people with problems. When my host in the US was added together with a huge IP range as 'spam friendly subnet' I informed what I should do, and if the listing was legitimate if sh

Re:

[efalk]

I'm not sure the problem is that the administrators enjoy their BOFH roles so much as that anyone who runs an anti-spam service is probably someone who's already really, really frustrated with the spam problem, and with dealing with lazy, greedy and incompetent ISPs.

Another thing to consider is that the anti-spam services work for the clients who want the spam stopped, and they don't work for the ISPs that are generating the spam. So they tend to get testy when those ISPs ask for help dealing with their ow

Re:

[Cramer]

Having worked for a former ISP of Jermey Janes, lemme just say, it's impossible to educate sales people. They care about their commission, and nothing else. When I checked, they had, in fact, had several connections with us for several years -- all under different names, to different addresses. But T1's were just too small for any real volume. When they ordered a DS3 and colo space, they screwed up and sent out 100,000 "template" spam messages and abuse@ received "many" complaints -- and the f'ing moron

Re:

[Cramer]

Lemme guess, there answer was "spamtrap"? For which they will give zero evidence and demand payment to get removed. (That's extortion, btw. But since "we never touch the money" it's not illegal.) All it takes is ONE MESSAGE, EVER, to land in the spamtrap list; listings never expire, and you have to make a "donation" to get delisted. Most interesting is the number of charities refusing to be associated with the SORBS extortion racket.

While I doubt there was much intentional (mis)listings, there certainly

Re:Too bad

[gmuslera]

Bad rap? Like putting in blacklist entire ISPs because a single customer had a trojan? Or whole hosting companies (a /19 range) because one client from a single IP got an intrusion? A lot simply stopped trying to get delisted by them, and not sure how much people trust in what they say anyway, just too much false positives and no easy/fast way to get out.

Re:Too bad

[Guspaz]

Or how about listing entire netblocks because the RDNS of an IP "looks" dynamic?

I'm serious, they've blocked huge swathes of Linode (a virtual server provider) because Linode's default RDNS format (li12-345.members.linode.com) looks dynamic as if such a thing exists.

Linode's attempts to get the netblocks delisted was met with silence; SORBS simply ignores anybody who tries to get delisted.

Re:

[EvilStein]

.......unless it's accompanied by cash, naturally.

Check out the Wikipedia entry for SORBS. Someone pointed out that they blocked entire ISPs for almost nothing, and the SORBS revisionists went and started slapping wikipedia vandalism warnings around.

Fuck SORBS, and screw Wikipedia. :|

SORBS became useless years ago. Filtering evolved significantly, they remained back in the useless stone ages. Good riddance.

Re:

[danomac]

I find it rather interesting that I just now found out about the mismanagement of SORBS and how hard it is to get off the list. I basically set up our spam filter and check it periodically; that's about it. I honestly never paid attention to the politics of the lists themselves...

SORBS simply ignores anybody who tries to get delisted.

I can say right now that this is untrue. I inherited a blacklisted IP address for one of my servers just last week and figured out the hard way that the IP was blacklisted by

Re:

[Guspaz]

While you may have had a good experience, Linode was met with silence when they requested that their netblocks be removed.

They weren't even listed for spam, they were listed because they were supposedly dynamic! That's right, a SERVER HOST specializing in providing servers with STATIC IP addresses.

Re:

[Sl4shd0t0rg]

I used to work as an email admin for a large ISP (over 5 million users) and SORBS was very receptive about removing false positive IPs from their list...if we paid them. We finally had to tell customers and outside users that complained to stop using SORBS and use other well run RBLs like Spamhaus.

Re:Too bad

[Just Some Guy]

It is unfortunate that SORBS has gotten a bad rap. Although it has been plagued on the administrative side of things, its list was still helpful in detecting and removing spam.

So is unplugging your mailserver. It'd get roughly the same number of false positives, except without the malice.

Re:

[secolactico]

Took the words out of my mouth.

RBL are a pretty good tools, but they are only as good as the admin team and processes behind it.

"Esoteric" RBL like SORBS are the source of headaches of responsible mail and network admins.

But even SORBS is not much of a problem (not many mail admins use it to block email since they don't want all the false positives). Recently, senderbase has stepped up their efforst to be even more obscure in their reputation systems. And since they are a now Cisco product, you can bet a

Re:

[aztracker1]

I have about 25 RBLs setup in my spam filtering, each given a different weight, allong with spamassasin, it takes 2-3 results to have a spam blocked (I actually just filter into a Junk folder for the most part, unless it's really bad (takes 5-7 fails) I spent a solid month simply tagging various emails, and checking to see how reliable each list was in my use case to give them their weights. Works pretty well overall, adding in greylisting, and SPF checking helps too. I've been getting about 2 false nega

Re:

[Onymous Coward]

25? That seems like a lot. I hope your setup uses short circuiting?

I did a lot of research to find good lists. That means vanishingly small false positive ratios, clear and reasonable methodology that agrees with my philosophies, good organizations behind them, and good coverage in union. I use Spamhaus XBL and SpamCop SCBL. Independently they're great. Adding them together nets an additional 4.4% with just the one additional DNS lookup, totalling, I think it was, 86% (hm, must have had other measures

Re:

[NoNsense]

It's been poorly run for a long, long time. As an administrator who occasionally had a customer who was blocked by their fault system, I can tell you they have less then a good attitude. Joey, if you ready this, you can suck my nuts. At least Matti will help you if you need it.

Re:

[TPS Report]

It is unfortunate that SORBS has gotten a bad rap. Although it has been plagued on the administrative side of things, its list was still helpful in detecting and removing spam.

Spoken like someone who's never had to deal with them in any capacity. SORBS was an arrogant list that was out of touch with reality and the problems administrators face. SORBS made far too many arbitrary decisions (like blocking netblocks because they LOOKED dynamic - without bothering to check) and caused real harm and damage to millions of people. They were an embarrassment compared to real lists like Zen/SpamHaus, SpamCop, etc who remained professional and logical and actually had policies and procedure

Re:Too bad - not!

[billstewart]

It's unfortunate that SORBS deserved the bad rap they got, but they were quite effective at false-positive mis-detection of legitimate emails as spam, unlike lists such as Spamhaus, and quite unwilling to remove addresses that had been tagged as spam or as part of variously large blocks of ISPs that had had some spammers use them.

There are legitimate uses for a rabid-overkill list, such as directing mail from those IP addresses to a check-more-carefully server if you've got a multi-tier multi-server spam-bl

Re:

[MightyMartian]

It is unfortunate that SORBS has gotten a bad rap. Although it has been plagued on the administrative side of things, its list was still helpful in detecting and removing spam.

It was helpful in detecting email and, based on the lunatic who was running it's particular whims, probably included a healthy dose of legitimate servers that, through no fault of their own, were somehow associated in some convoluted way with IP blocks where spam probably originated at some point anywhere in the last decade or so.

If I

has it

[spongman]

blocklists should be one-way hashes. the user's email address should never even be sent over the wire.

Re:

[doon]

Well sorbs (like most DNSBL's) is based on IP address, so generally speaking the users's email address isn't passed over the wire (in terms of BL usage).

Re:

[WuphonsReach]

You're confusing RBLs (which are based on a DNS lookup of the IP address) and "suppression lists" which are lists of email addresses that have unsubscribed.

The latter is best implemented as a one-way hash (usually md5) so that the resulting list can't be used for other mailings.

Re:

[account_deleted]

Comment removed based on user account deletion

you bleeping amateurs.

[Anonymous Coward]

Right before signing, you should have said, you know what, let's make it $419k. You guys just never miss an opportunity do you.

451K - the temperature that _____ burns?

[billstewart]

Spam? Flamers? Email?

Is this good or bad?

[bc316]

That is one hell of a donation. :) I sure hope they fix the removal process. I have been struggling for weeks now to get some netblocks removed.

Re:

[cptsexy]

It took me about 6 months. I took over as the lead IT guy for a company who had their own Win Small Business server, but didn't have in house people to manage it. The initial setup wasn't done correctly and thus Sorbs had them blacklisted (along with several others I might add). I found and fixed the issues within my first week and then followed their process for removal and six months later finally got an email that I had been removed and things started working. The problem is that it seems a lot of pe

Re:

[Gerald]

This is one of the reasons I use Postini. Dealing with crap like this is now Someone Else's Problem, and that someone happens to be a large, resourceful corporation.

Re:

[Cramer]

... who have random mailservers listed in SORBS' spamtrap list. The day my mailserver dropped a message from gmail is the day I stopped using SORBS. This was cast in cement by their bitchy response to my inquiry... "[gmail] doesn't do outbound content filtering, so f*** 'em."

Re:

[dasmoo]

Send spam, be punished? Doesn't really sound that bad to me. If you were worth your salt as an IT guy you would've had your ISP change your IP address though. I've dealt with SORBS in getting a range of IP addresses removed before, it took two weeks. During that time we routed all outbound mail through a different IP address. You're going to have trouble with blacklists because they have to be annoying to be effective.

Re:

[cptsexy]

If you were worth your salt as an IT guy you would've had your ISP change your IP address though.

Um, no. Just change your IP, lol like nothing else is tied to it. We had a lot of other things that were pointed at that IP, again I did not set it up that way, but nonetheless would have been a cluster had we just up and changed it. In the perfect world you are correct, but we don't live there. And even two weeks in business is way too long to have to wait. Fix the problem let the software test and then de-list. My God I could understand if this was 1969 and some retard was taking requests by phone a

Shuttering their operation?

[hackel]

I can't tell if this is a typo or an actual term someone might use. I suppose shuttering the operation would simply mean concealing it from the public?

Re:

[eln]

Shuttering a company (or part of a company) generally means to shut it down. Michelle was looking to close down SORBS, but evidently found someone to give her lots of money for it instead.

Re:

[palegray.net]

evidently found someone to give her lots of money for it instead

That's the part that has a bunch of people seriously ticked off. It appears she's landed a "Director of Engineering" title in the process, which I pretty much interpret as being handsomely rewarded for abject failure to run a responsible operation.

Re:

[Cramer]

450k isn't that much money as these things go. Still, that's a lot of folding money in one's pocket.

Re:

[hardwarefreak]

Shuttering -

1. closing the shutters on the windows of a building (old term, most don't have shutters in 2009)
2. nailing wooden panels over the windows and doors of a condemned building to keep people out
3. nailing wooden panels over the windows and doors of a foreclosed building to preserve resale value of the structure (i.e. prevent vandalism)

The term, in the context used, is perfectly applicable.

Re:

[just_another_sean]

The blacklist itself? The many thousands of IP addresses they have identified as (a lot incorrectly btw) as deliverers of spam?

Re:

[Cramer]

The servers, software, database, "reputation", etc. Basically, an anti-spam operation on wheels. ('tho I don't recommend rolling fully loaded racks around. A fully loaded 43U rack can weigh nearly a ton.)

Shutting down

[gmuslera]

Hope that the "shutdown" means that answer everything as NOT blacklisted for the people/devices that surelly will still use them for a while (not sure how will be interpreted to not be able to connect to the service), not the opposite that happened with others blacklists in the past.

Re:

[amorsen]

not the opposite that happened with others blacklists in the past.

In the one instance that comes to my mind, they answered NOT blacklisted for more than a year after disabling the service. Still the queries came flooding in. In the end the choice was between abandoning the domain (and pushing all that load to the .com or whichever name servers) or answering blacklisted to make people wake up.

Re:

[TheRaven64]

They could have reduced the load a lot by setting a very large TTL and returning NXDOMAIN at the root. For most of these systems NXDOMAIN means 'don't block' (this address is not in our block list, it does not exist). If you set it on the root for the DNSRBL then no queries will be delivered for addresses under that and every ISP nameserver will cache the NXDOMAIN. Even with a 24-hour TTL, you'd be reducing the traffic to at most one request per client per day.

Re:

[palegray.net]

If the new owners decide to continue the trend of irresponsible behavior that has been the hallmark of SORBS in recent times, at least there's a U.S.-based entity [gfi.com] that can be more easily sued by for losses now.

Traditional route

[russotto]

So, will they go the traditional route and block /0 when they shut down?

Oh my...they overpaid by about $450,999.99

[Ritz_Just_Ritz]

I don't know of ANY serious ISP that pays any attention to SORBS and it's been that way for a few years. Whoever cashed that $451k check had better squirrel that money away quickly before the unwitting buyer tries to claw it back.

I did not like my interaction with SORBS

[GoNINzo]

I was one of the people that had a very bad experience with SORBS.

My company got a new ISP with an external block. I'm sure at some point that block had been used as a dynamic range. I had not set a PTR record (because the IP of the mail server changed at the last second), my PTR and A record for that mail server were not set to 12 hours (seriously, who does that?), and I was banned on the SORBS list. I had an SPF record, you could obviously see that I'm part of a legitimate organization, and it would have taken maybe 2 minutes of work for an physical admin to realize that this was a mistake.

It took two support tickets with SORBS, 5 calls to my ISP, and around 10 days to get off the list. In the meantime, we could not contact certain people using it. And what's worse is that the only solution that the admin of SORBS had was to get everyone to stop using the SORBS list. I think that the TTL requirements are the worst part of their solution.

In my opinion, an unattended, automated black list is worse than the problem of too much spam. You are blocking valid mails, and because you are blocking it at the IP level, the end user doesn't even see it show up in their spam bucket many times. If SORBS had a single admin, checking their email once a day, they could easily filter out some of these issues.

I encouraged several anti-spam vendors to stop using their services for this reason, through the different companies that we interact with. There are several other blacklists that do their job well, there is no need to use an unattended blacklist.

Re:

[EvilIdler]

I run into the same problems constantly. There are far too many small providers around the world who don't know better and subscribe to these awful blocklists. I have a reseller account through Hostnine which I portion out webspace from when non-technical friends need it. The IP address for the space they get is often in SORBS, so a lot of their mail doesn't go through. I find myself moving accounts from the selected location to another part of the world about half the time :(

What we REALLY need is a list o

Re:

[dasmoo]

You had a bad experience, ipso facto everyone should stop using a service that works. That's bullshit. Spam is far worse than losing one or two emails because someone's IT guy didn't have the balls to tell his boss to keep the two ISP connections running concurrently while they tested everything. Then you complain about the user not receiving the mail? The best thing about a DNSBL is that you don't receive the mail, reducing bandwidth, reducing cost. Also, you couldn't have just forwarded all mail through y

Re:I did not like my interaction with SORBS

[palegray.net]

Wow. You have absolutely no idea what you're talking about; do you even work in any sector remotely associated with large-scale network operations? How about this: I'll issue you a new netblock that's blocked via the SORBS DUHL (dial-up host list), even though the range isn't dynamically allocated at all. You'll try to get it removed from the list, at which point you'll be informed that you need to set your reverse DNS to something they find acceptable to even be considered for removal. You'll probably try to get ahold of a real person to explain the situation to; that will fail.

Meanwhile, several hundred brain-dead mail administrators, responsible for the delivery of email of tens of thousands of people, are happily using SORBS to block mail based on false assertions that your IP space is dynamically allocated. There's the one-two punch that pretty much guarantees you'll have mail delivery problems. If you're a business, that's a big deal; you could easily find yourself (as many have) unable to send email to partners, suppliers, and customers due to negligence beyond your control.

This isn't about being listed for a few days. It's about doing absolutely nothing wrong in the first place, having SORBS make provably false statements about the usage of entire netblocks, and then sitting by helplessly while SORBS refuses to address the situation, causing real damages to your business for months. I've got news for you: the Internet is bigger than "your ISP", and it's generally considered a bad practice to rely on another organization's SMTP service for your email unless they're an operation specifically geared toward doing so as their primary business model.

Next time you decide to post on a topic, please be certain you're well educated on the subject matter first.

Re:

[GoNINzo]

I think the other poster explained my position perfectly well, he gets the issue. The fact that I could get delisted within 10 days is pretty impressive for being listed there, it's normally months. And that's only because my ISP had problems with them before because the guy blocked /20's from them on a regular and repeated basis, it looks like mostly virus related.

And both ISPs were running at the same time, but you can only send mail out one direction. Am I supposed to short circuit our entire operati

Re:

[MSojka]

I think the other poster explained my position perfectly well, he gets the issue. The fact that I could get delisted within 10 days is pretty impressive for being listed there, it's normally months.

Strange. We've got an entire /16 listed there a few weeks ago, and it took less than three hours for the block to be gone after us explaining the situation (basically, some hosts were leased using stolen identities to send spam from and were shut down less than 24 hours after they started doing so).

Re:

[Cramer]

A GREAT MANY people can tell the same story. SORBS was half-automated. Getting on any of their lists was simple -- a SINGLE email is all it takes. Getting off the list is not automated in ANY way. It takes a human being -- and by all accounts, there was only ever one human -- to remove you. The removal process was never speedy and usually involved a ransom in the form of a donation to an ever dwindling number of charities. (no respectable charity would have anything to do with this crap.)

The internet i

Deep Six?

[SpeedyG5]

I hope they bought it to deep six it. There is just no use for it other than to let it die. Course thats expensive but could be a huge chunk of advertising dollars. ;)

I *Stopped* using SORBS and SPAM *decreased*.

[my_left_nut]

I'd stopped using SORBS awhile back, after numerous instances of it flagging real email as spam. Since then, the amount of UCE that I've been receiving since has actually *gone down*. Go figure.

Re:

[my_left_nut]

I'm using spamhaus exclusively now. After discontinuing SORBS, I might get at most 10 spams a day.

Re:

[LodCrappo]

are you suggesting it would not have gone down if you had continued using sorbs? i don't get it. how can you get less spam by blocking less IPs, regardless of whether those IPs are spammers or not?

Re:

[Just Some Guy]

Don't question it. Nothing involving SORBS made a whole lot of sense.

Who uses SORBS anyways?

[gweihir]

Not me. There are far better ones out there.

Interesting blog from the former owner ...

[ZeekWatson]

http://www.myspace.com/michelle_i_sullivan [myspace.com]

"I'm 40 year old transsexual girl ..."

I'm not making this up!