back to article Spam blocklist SORBS closed by its owner, Proofpoint

The Spam and Open Relay Blocking System (SORBS) – a longstanding source of info on known sources of spam widely used to create blocklists – has been shuttered by its owner, cyber security software vendor Proofpoint. SORBS provided free access to a DNS-based Block List (DNSBL) that lists over 12 million host servers known to …

  1. wolfetone Silver badge

    I wish UCEPROTECT would shut itself down instead. A total cowboy outfit.

    1. Anonymous Coward
      Anonymous Coward

      We've experienced run-ins with them via customers before. Mostly we're able to explain their MO and once custy understand we can signpost them to proper anti-spam services.

      It'd be a shame if SORBS died :(

  2. Anonymous Coward
    Anonymous Coward

    FINALLY, that thing was a real pain in the arse, and stopped individuals from running their own SMTP server, due to classifying them all as SPAMMERS, and being totally un-contactable or responsive to requests to remove their erroneous flags.

    1. Mishak Silver badge

      Personally, I've never had a problem

      Provided I either:

      1) Use a static IP (not available from all domestic ISPs), and create rDNS, MX and SPF records for that IP; or

      2) Use my ISP's mail service to send messages.

      However, it is a world of pain to just set up a server using the IP assigned by the ISP - but I think that's fair, as that's how compromised PCs are used within spambot networks.

      1. J. Cook Silver badge

        Re: Personally, I've never had a problem

        Many, many years ago, I ran my own domain entirely off an underpowered, humble server, with an ISP that was 'geek friendly' and allowed such things, with static IPs at no additional charge.

        Ran it like that until ~2008, when I got a phone call from the ISP's abuse department that started along the lines of "So, about that open relay you are running..." which turned out to be a vulnerability in some recently installed web app that had a nasty XSS vulnerability in it which got abused and turned the machine into a spam spewing zombie. (you know the machine's toast when the console takes three minutes to respond to a keystroke...)

        I migrated to a hosting company shortly after that, along with my email, and haven't looked back since.

      2. jeremya

        Re: Personally, I've never had a problem

        I too do that but I've lately had an obnoxious European mail service reject my emails because the IPv4 reverse DNS of my public IP 'looks like an ISP assigned address' - which it is of course.

        I do control the reverse DNS of my IPv6 range but they don't support IPv6

        1. Mishak Silver badge

          Re: Personally, I've never had a problem

          Yeah, luckily I've been able to set it to something linked to my DNS.

    2. Yorick Hunt Silver badge

      Never had a problem with any lists*, having set up dozens of mail servers over the years, in assorted ISPs' address space, including residential netblocks.

      Of course, I actually go through all the settings before "letting the hounds loose," so to speak - as opposed to most first-time experimenters who just run with defaults, thereby creating an open relay and getting discovered by constantly-probing spammers within minutes (and getting listed by all manner of automated blacklists soon thereafter).

      * With the exception of UCEPROTECT, but I treat those listings as a badge of honour.

    3. Anonymous Coward
      Anonymous Coward

      I know right, I've been sitting on a warehouse full of CIALIS for decades. I can finally shift it.

      1. WanderingHaggis
        Big Brother

        A long time ago we had a discussion once killed because someone referred to about socialist tendences and the spam filter saw cialis and killed it. Took a bit of work to figure out what was killing the posts.

        1. GreenReaper

          Had that same experience myself, but it was amusing considering the context of the conversation at the time, so we decided it was actually a feature.

        2. Soruk
          Boffin

          I've heard this one called the Scunthorpe problem. And it would also prevent you from seeking a specialist to assist you.

          1. J. Cook Silver badge
            Joke

            Yup, it's a clbuttic problem with using blind regexes for content filtering.

        3. parrot

          More puzzles

          Manuscript

          Aylesbury

    4. Theodore.S
      Meh

      Not true.

      I operate a personal domain (with a single e-mail user, me) for the last 15 years. I never had a problem running my own (very low traffic) SMTP server with SORBS (or Spamcop or Spamhaus).

      The biggest problem with SMTP was a few years ago, with the "guilty until proven otherwise" attitude of Microsoft controlled mail services. It took me some days to be removed from their blacklist.

      Google policy on the other hand seems to work much better - my only problem was caused by my own mistake, leaving a Mailman subscription page without captcha. That's when I learned what "subscription spam" means.

      1. Number6

        Re: Not true.

        I had to jump through a few hoops to get Google to accept my home server, but it seems to be working smoothly now. Ironically the only problem I have at present is with Proofpoint. For some reason they decided to add my mail server IP to the Cloudmark CSI-Global list a couple of weeks ago, and they're either ignoring my request to sort it (I wish they'd explain why something landed on a blocklist, too - is it because someone else in the netblock is running a dodgy server?) or are merely taking forever to look at it. In the meantime, it won't even let my server connect to any of their stuff, which makes it harder to forward stuff from home to work, as well as talk to a few other people who use email providers who use their services.

    5. Anonymous Coward
      Anonymous Coward

      Good riddens

      Nearing 20 years ago the arrogant operator of SORBS decided to block a whole bunch of Telewest IP's, even though they were statically assigned and refused flat out to rectify the mistake.

      1. Jamie Jones Silver badge

        Just think of all those compromised windows machines with static addresses that existed on the telewest network...

        As I just posted above, I also got stung by this, but you have to be realistic about the spam situation.

      2. John Brown (no body) Silver badge

        My experience of Telewest "static" IPs on business accounts 20 years ago was that they were just DHCP assigned address with very, very long leases and never were properly assigned static IPs. Discovered when they were "re-segmenting the network" in Sheffield and a business client, who's point of contact had left an no one was monitoring the email address, missed the Telewest notification that their "static" IP address would change. Which in turn lead to some of their systems no longer connecting to HQ in London because they used IP addresses as part of the auth process.

        1. trindflo Silver badge
          Big Brother

          DHCP addresses (maybe)

          In the early days of the internet, you were almost always guaranteed a new IP address every time you connected.

          After the terrorist attack that brought down the trade center in New York, and the US government passed the PATRIOT act, I noticed that my assigned IP address was always the same.

          Maybe that was a coincidence.

          1. Number6

            Re: DHCP addresses (maybe)

            I think the way it works now is that the DHCP server will remember you for some period of time, which may be from zero to "we need an address for something not in our system, let's take this one" after your last lease elapses. I know that the few times I've had an ISP outage, short ones mean I get the same IP address, longer ones mean I have to go reconfigure a bunch of stuff that relies on knowing the address. I did set up a cron script on one of my machines that queries the IP4 and IP6 addresses regularly and will let me know if either changes.

            The other change is that in the early days we were on dial-up modems, so leases probably had deliberately short timeouts, whereas now I suspect that you get at least 24hrs for a typical DSL or cable connection (mine currently has almost four days left), simply because they do tend to be up most of the time.

            1. trindflo Silver badge

              Re: DHCP addresses (maybe)

              Maybe it is just a matter of leases lasting longer; good point.

              There was a time I had been locked out of something by IP address, so I went in at a low level and forced a new IP address. Within about an hour the ISP forced it back.

              I'm going to continue to wear this particular tin-foil hat a little longer.

              1. Anonymous Coward
                Anonymous Coward

                Re: DHCP addresses (maybe)

                I think you need to find a new hat.

                No matter how long your DHCP lease is, your ISP knows it was issued to you*, when that happened and how long you had it. There's a very good chance your ISP will have logged that information and they may well store it for a long time. Sometimes, they have legal or regulatory requirements to do that. Of course there can be a wide variation in how well or badly ISPs keep track of this stuff.

                * ISPs generally tend to only hand out IP addresses or DHCP leases to paying customers.

    6. Jamie Jones Silver badge

      Yeah, I get your frustration, but as someone who used to run my mail server at home, as well as run mail servers for companies, it's one of those things I learnt was the correct course of action for the spam climate we live in.

      Far too many spam messages come from compromised domestic Windows computers, and as you can get a virtual server with a static IP for only a quid a month, it's really nothing to moan about.

      You can VPN the IP to your home system, or even just use the VM as your smart mailhost.

      https://www.ionos.co.uk/servers/vps (I have no affiliation with them)

      1. MrReynolds2U

        I'm not sure about Ionos but Azure have a habit of blocking outgoing SMTP ports from VMs and I don't think they are alone in that.

        You can use something like SendGrid to get around it but you shouldn't have to.

        1. RichardBarrell

          On that note, I have found the fact that Azure doesn't have a first party equivalent to AWS SES mildy annoying. But oh well, sendgrid works fine.

          I've seen people mention that Azure, AWS, etc all have ended up with their entire customer IP address ranges on various spam blocklists anyway.

        2. Jamie Jones Silver badge

          At default, Ionos block port 25, but enable it if you ask. I actually use one of their 1-quid-a-month FreeBSD VMs to export via ipv6 the ipv4 address to my bare metal server, which runs my main mail server, and is unfortunately at a provider that had a less than stellar reputation for spam, but is cheap!

          I also use vultr for my backup server. They also block port 25, but enable it on request.

      2. doublelayer Silver badge

        When I have run my own mail servers, I found that various lists either blocked or warned about every IP address that could be rented. Since you can get a cheap VPS, so can a spammer, and it's cheaper to block the entire range than to come up with some method of trying to tell the two apart. There is a reason why I stopped running these. It's not that I can't, but the work involved in depolluting an IP addresses is annoyingly sporadic, depending on the goodwill of people who may or may not have any interest in helping you.

        When I was looking into this, it seemed that the easiest ways would be to have a corporate network or host in a colo. Their static addresses weren't on lists. Unfortunately, both are expensive and make it harder to host a low-traffic server for a project. Several ended up using registrar-hosted email instead, which wasn't my first choice, but substantially reduced the concern that I would wake up one morning to find that messages were no longer arriving.

    7. Anonymous Tribble

      I had no problem getting my personal server delisted. Just sent them a message and quickly got a reply. I do have a fixed IP address.

    8. captain veg Silver badge

      re: individuals running theire own SMTP server

      My provider in France is Free (Proxad). When they shifted from dial-up to ADSL one of the interesting features was that the offer included a static IP address at no extra cost. Great! I registered a domain and set up my own personal MTA. Just for my own personal usage, nothing in the slightest bit commercial or otherwise in bulk. Never compromised. Never sent or relayed a single spam message.

      Free's customers soon became interesting to scammers looking to compromise them and gain control over clean and static IPs for their nefarious ends. This was soon a real problem. The company ended up changing the configuration on their terminal devices to block port 25 by default. This put the problem to bed, but not soon enough for SORBS, who insisted that Free "voluntarily" list all its consumer IP ranges as "dynamic" and "dial-up", even though they were neither, or have their own emails servers listed as spam sources. Unfortunately, faced with upsetting a tiny minority of customers running their own servers, or their wider community that used the ISP-supplied relays, they caved to the blackmail.

      Since then my MTA has consistently been listed in precisely one sole RBL, that of SORBS duhl. They are (were) not open to any kind of discussion on the topic. Compare and contrast with Spamhaus: it's a chore that I have to do annually, but simply affirming that I have a fixed IP and that I run my own mail system on it is sufficient to stay out of their listings, subject (obviously) to the continued complete absence of any other evidence of spammy behaviour.

      So yes, good riddance. I shan't shed any tears.

      -A.

    9. AndrueC Silver badge
      WTF?

      FINALLY, that thing was a real pain in the arse, and stopped individuals from running their own SMTP server, due to classifying them all as SPAMMER

      I've been running a private mail server for 15 years now. I've never been blacklisted.

      My ISP offers a free IPv4 static IP address and a /56 IPv6. My mail server is configured to use both with corresponding rDNS records and SPF records on my domain.

    10. streaky

      SMTP

      "stopped individuals from running their own SMTP server, due to classifying them all as SPAMMERS"

      If you don't know why, you shouldn't be running your own mail server. Also not really, no - my mail server isn't, never had an issue with SORBS - but then I know how to run a mail server which is circular to see first point.

  3. Pascal Monett Silver badge
    Thumb Down

    So, another one bites the dust

    A free service that was useful, accurate and regularly updated. And now it is shut down without so much as a warning.

    Proofpoint may have managed its existence properly, but it botched its ending. You tell people you're going to shutter a service like that. You give them time to adapt. You don't just pull the plug and then say "Yeah, we can't be bothered no more".

    Bad doggie. No cookie.

    1. A Non e-mouse Silver badge
      Mushroom

      Re: So, another one bites the dust

      Why don't you ask them for a refund or compensation on your previous subscription payments...?

      1. Malcolm Weir

        Re: So, another one bites the dust

        If I were a Proofpoint customer I'd be worrying about their notice and migration strategies. But I'm not, so this is just a reason to maintain that status quo.

    2. Phones Sheridan Silver badge

      Re: So, another one bites the dust

      It's ending doesn't hurt anyone tho. If you have set your DNSBL lookup correctly, then the response will = "no response", which means you decide for yourself how you treat the email you are looking-up, rather than asking someone else, how to treat it. I.e. it's time to put on your big girl pants!

  4. The man with a spanner

    Solutions?

    Mozzila ?

    EU supported service ?

    Or both perhaps?

  5. Jan Ingvoldstad

    Good riddance to all the false positives

    In my opinion, this is one of the worst blocklisting services ever.

    Delisting or expiry? Forget it. Entries from 2004 hung around *forever*.

    Accuracy? Don't make me laugh. The false positives abound.

    A SORBS listing, if you could verify that it was recent, could have had some value as input in spam scoring, but has regrettably not been useful for making a direct yes-or-no decision.

    For that purpose, I would rather have gone with Spamhaus' or Invaluement's free services, or paid for the services, combined with easy bypassing for the very few false positives.

  6. Zippy´s Sausage Factory
    Devil

    I wonder if Proofpoint own (or are planning to launch) any mass emailing services?

    Asking for a friend...

    1. sitta_europea Silver badge

      Lately, the same sorts of suspicions have been bothering me about Proofpoint.

    2. captain veg Silver badge

      re: Proofpoint mass emailing campaigns

      They've persuaded my employer to let them bombard us with "simulated phishing" campaigns on a regular basis.

      -A..

      1. Number6

        Re: re: Proofpoint mass emailing campaigns

        I don't know about the persuasion side (I thought it was a company initiative, not imposed from outside), but we get that too. I can't be arsed to flag them with the button installed on Outlook, I just add them to my blocked senders list locally in case they re-use a dodgy address. I get way more fake spam than I do real spam.

      2. Antron Argaiv Silver badge
        Thumb Up

        Re: re: Proofpoint mass emailing campaigns

        Oh, *those* are fun! My company does it too, though I am not sure why. They do it for a few emails, then change vendor, and do it again. Very long gaps between messages. But the messages are carefully crafted to look like they are genuine HR requests.

        Anyhow, I scroll through the message header and find the undisguised source of the message, then craft a rule to reject all messages from that sender. Breaks up the monotony, and I never have to worry about getting hooked by them again. Until they change phishing vendors...

  7. This post has been deleted by its author

  8. Zibob Silver badge

    Spamhaus

    My only visible run in with any of these was Spamhaus.

    I am on a non static IP, and for a week or so about 15 years ago spamhaus blocked me from sending any emails at all, from a personal gmail address.

    I know it was probably because I was assigned a previously listed IP but it was an annoying mess and ultimately I had to just wait and try again another day, good thing email was not as serious a need as it is now.

    1. Phones Sheridan Silver badge

      Re: Spamhaus

      Spamhaus DID NOT block you, the recipient you emailed did because they CHOSE TO based upon a simple 30-40 character response.

      Each time there is an article about DNSBL, out come the nutjobs claiming the DNSBLs are all bad cos they block emails, which is sooo far from the truth.

      I've said this before, El Reg, when running an article about DNSBLs can you please run an article about how DNSBLs work* for the ignorant.

      *Hint, it isn't "any reponse is a block" like so many assume.

      1. doublelayer Silver badge

        Re: Spamhaus

        That's like saying that Microsoft reporting a file as malicious and automatically deleting it isn't blocking it. Imagine, for the sake of argument, that they did that to the Libreoffice installer. Now a Microsoft fan could point out, correctly, that you could disable Windows Defender and the file wouldn't be deleted, or that you could go into the settings and disable the automatic deletion function, then click through a couple warning screens, and that would work. From the perspective of most users, that decision would still be intended as and implemented as a block.

        When people use these spam lists without thinking, they're partially responsible for the problems, but people who are labeled possibly spammers by an overeager algorithm will tend to blame the algorithm, especially when a lot of receiving MTAs remove the "possibly" before deciding whether to allow the message in or not. I do not know this case, and I have not had to deal with this in a long time, so I cannot say whether this case did involve a bad decision by the list creator. I don't think it's hard to imagine that there could at times be those bad calls.

  9. rcxb Silver badge

    Double opt-in demands

    SORBS was the worst offender... Blocking anyone at the drop of a hat for no particular reason. with zero thought.

    Send out millions of e-mails every month without complaints? Okay, whatever.

    ONE customer's e-mail address gets mistyped dropping one letter, so it goes to a honeypot domain.... Your domain instantly BLOCKED by SORBs (and nobody else) and ALL e-mails get blocked by ALL the domains whose admins are amateurs and subscribe to SORBS.

    1. Phones Sheridan Silver badge

      Re: Double opt-in demands

      "domains whose admins are amateurs"

      So your issue is with amateur admins, and not SORBS.

      SORBS blocked no-one, "amateur admins" did.

      1. rcxb Silver badge

        Re: Double opt-in demands

        SORBS blocked no-one

        SORBS provides a "Block List" as it says right on their homepage (and partially in their acronym). Can't wash their hands of responsibility when someone used it as intended, and it caused problems.

        The "amateur admins" simply didn't know better... did not realize what a terrible organization they were relying on.

        1. GavanMeyer

          Re: Double opt-in demands

          Funny that is the argument the NRA makes. Block lists don't block email, mail servers block email.

      2. doublelayer Silver badge

        Re: Double opt-in demands

        "So your issue is with amateur admins, and not SORBS."

        As they clearly stated, their issues are with both. Their issue with admins was taking a report in an extreme way, and their issue with SORBS was creating a report with insufficient justification, which they allege other lists did not do.

    2. Alan Brown Silver badge

      Re: Double opt-in demands

      "so it goes to a honeypot domain...."

      I'm sure you can show the proof that proper opt in mail practices were used

  10. MrReynolds2U

    RATS-NoPtr

    Currently listed. No option to remove since the entire range (C block) is on their "Worst Offender List". SOOL but it's only one list.

    (and yes there is a Reverse DNS entry)

    And then there's UCEPROTECT who just toggle me on and off when they feel like it.

  11. goldcd

    Michelle's Linkedin got this a week ago

    "Hey everyone! I’m on the lookout for a new role and would really appreciate your support. I’d love to reconnect with you all, share my experiences, and catch up on what’s new in your world." and job at proofpoint has end date of Jun 2024

    Feels like there might be a connection

  12. Ilgaz

    Spamcop.net is nice but...

    Spamcop (now owned by CISCO) openly states at https://www.spamcop.net/fom-serve/cache/297.html

    "The SCBL is an aggressive spam-fighting tool. By using this list, you can block a lot of spam, but you also may block or filter wanted email. Because of this limitation, one should strongly consider using the SCBL as part of a scoring system and explicitly allowlist wanted email senders (e.g., mailing lists and other IPs from which you want to receive email)."

    One of the reasons could be that spamcop anonymizes the reporting user (at least tries very hard) and not all hosting providers take that serious ending up in block list. I have lived a horrible experience with a large mailing provider because they figured my contact information. Now they are a gigantic mail distributor and yet still blocked from getting spamcop reports.

  13. Anonymous Coward
    Anonymous Coward

    Proofpoint is in decline

    The founder of Proofpoint sold out / cashed out to Thoma Bravo a little while ago. Thoma Bravo is all about maximizing shareholder value (they are the shareholders). It appears they have someone in charge of lowering costs, customers be damned. Customer VMs got nerfed terribly: what used to be a ten-second response time went to five minutes. Proofpoint Secure Share has been cancelled: too bad, so sad: go kick rocks. Technical support used to respond to opening a ticket within the hour; it now takes two to seven days.

    It does not surprise me that whoever is tasked with cutting costs found Michelle Sullivan on the payroll, asked what she does, found out it wasn't a revenue generating service, and canned her.

    If I were a Proofpoint employee, I would start looking for employment elsewhere in a company with no ties to Thoma Bravo. As a Proofpoint customer, I'm going to continue to tell my management how we are getting less and less service for the same price as before.

    1. Alan Brown Silver badge

      Re: Proofpoint is in decline

      Seeling out to "investors" is a standard problem. The first thing most of them want to do is find ways of repaying their purchase price as quickly as possible and this almost invariably results in driving away paying customers

      This is why th'Interwebs are littered with corpses of once-useful or popular services

      It's a trend that shown no sign of changing over the last 30 years

    2. Antron Argaiv Silver badge
      Thumb Up

      Re: Proofpoint is in decline

      Yeah, if the execs in your company ever utter the phrase "maximizing shareholder value", start looking for another job.

  14. Anonymous Coward
    Anonymous Coward

    recommended replacements?

    Hi,

    Speaking as one of those 'amateur admins' who are disparaged above --

    I run a system which receives email via SMTP. We were using 'dul.dnsbl.sorbs.net' and 'web.dnsbl.sorbs.net' until they were shut down; now our spam load is slightly higher. (We also use zen.spamhaus.org [127.0.0.{2,4,5,6,7,8,10,11}] and bl.spamcop.net, so it's only a slight increase.)

    We have a local whitelist to override unwanted blocks, so overzealous lists aren't a terrible problem.

    Any recommendations for a drop-in replacement? I am only seeking RBL recommendations here; the rest of the software setup is not currently adjustable.

    1. Michelle Sulllivan

      Re: recommended replacements?

      Keep watching.. something will likely pop up… ;)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like