Jump to content

dnsbl.sorbs.net ( 127.0.0.10 )


enigma1
 Share

Recommended Posts

Some of the IPs I checked on the spamcop ip tracking page show:

listed in dnsbl.sorbs.net ( 127.0.0.10 )

For 127.0.0.10 the sorbs online docs say about dynamic IPs that are behind the range and imply that the ISP is responsible for the problem not the IP itself. In fact it is one of the codes from the sorbs queries that I cannot rely on because of that, I get more false positives than anything else.

So just to confirm when it shows in spamcop tracking it is the same thing. (the dul zone)

TIA

Link to comment
Share on other sites

Yes, it would seem so - the return codes for SORBS are discrete and if there are hits in multiple databases there will be multiple returns from the aggregate zone lookup on dnsbl.sorbs.net. Some other blocklists code returns from their multiple databases into a single return code, but not SORBS.

That comes from

SORBS Return Codes

SORBS returns 127.0.0.x codes to indicate which database the test result was obtained from. If you use the aggregate zone, the return codes will still reflect the specific database(s) from which the results have been obtained.

e.g. If 4.3.2.1.socks.dnsbl.sorbs.net returns 127.0.0.3

then

4.3.2.1.dnsbl.sorbs.net would also return 127.0.0.3.

If an IP address appears in more than one database and you query using the aggregate zone, all applicable codes are returned.

e.g. If in addition, 4.3.2.1.http.dnsbl.sorbs.net returns 127.0.0.2

then 4.3.2.1.dnsbl.sorbs.net would return both 127.0.0.2 and 127.0.0.3

- and yes, the same source confirms that dul.dnsbl.sorbs.net has the return code 127.0.0.10 and that dul.dnsbl.sorbs.net is one of those included in the dnsbl.sorbs.net aggregate zone (there are other aggregations). SORBS is, of course, a little controversial and the dul (dynamic user/host list) is particularly so because of SORBS' insistence on server naming conventions and minimum TTL values which some regard as the founder's imposition of hir own agenda into the recommended standards. I have no idea about the validity or otherwise of those standards.

Now, how much account does SC take of a SORBS listing during the parse? It is not clear from http://www.spamcop.net/fom-serve/cache/297.html that it takes any notice at all. Maybe it is just there to aid reporters in evaluating the proposed reporting action. In fact, as far as a dynamic source is concerned (the dul.dnsbl.sorbs.net database) the words say clearly that is not a factor in weighting towards listing in the SCbl..

Link to comment
Share on other sites

That is basically SORBS telling you that the IP belongs to a group of IPs that are randomly assigned to users when they log into their network, and that the IP shouldn't be sending mail. If it is sending mail, you should be suspicous about it becuase only the network mail servers should be sending mail.

What IP are you talking about?

- Don D'Minion - SpamCop Admin -

- service[at]admin.spamcop.net -

Link to comment
Share on other sites

I was talking in general, including when I was testing my own IP. I guess I was confused because the sorbs response wasn't consistent you see. Sometimes it will report an IP that I own, some other time I would get another IP from the same ISP and it wouldn't be listed (on a router reset for instance).

It doesn't seem to be a reliable list. The other thing I tried with the particular queries on the 127.0.0.10 in the past was to check the IPs were used to place orders online and use it as fraud factor. But I couldn't reference it either way. IPs belonging to major ISPs were not listed others were for the same ISP etc. Couldn't find a use for it, but anyways thanks.

Link to comment
Share on other sites

Well, there's nothing wrong with a dynamically-allocated IP address being used for online transactions (they shouldn't be used to send unauthenticated SMTP mail, that's all). The only problem with SORBS dul inconsistency that I have heard of before is that legitimate static addresses end up there as well as dynamic and that they have aggressively sought out candidates for listing (just search in the forum for "SORBS rant" for an instance - and links to others in another forum). The dul arguably has more addresses than it should and it doesn't (or didn't) wait for someone to be whacked between the eyes by anything it lists before including it.

The Spamhaus PBL is another listing which seeks to warn of dynamic addresses - see http://www.spamhaus.org/pbl/ - and you might like to compare that list in your testing. But there's nothing wrong with dynamic addresses being behind the completion of on-line forms (no more than them being used to post to this forum) most are dynamic. SORBS has another list for hijacked address space (hopefully including bogons and fullbogons and the like as well - see http://www.team-cymru.org/Services/Bogons/). That is the nearest approach to some partial test/assurance in terms of online fraud that I can think of, offhand. You might like to check it out, apologies I haven't made a note of the list name (but it's there somewhere).

The best check to see what lists a specific IP address is on on would be to use a muliple bl checker like http://multirbl.valli.org/lookup/ (currently 219 lists, including some fake/extortion ones). Robtex - http://www.robtex.com/ - also does blacklisting tests with a convenient summary listing of hits. SenderBase - http://www.senderbase.org/ - also summarizes/lists five BLs, including dnsbl.sorbs.net and pbl.spamhaus.org. If there is a list more suitable than any other for your purposes, that sort of research might find it.

HTH

Link to comment
Share on other sites

Not a lot of people rely on the SORBS blocklist, because of their reputation for being over aggressive. The blocklist is used as a weapon against ISPs that host spammers, rather than as a useful tool for people who want to filter spam.

And SORBS doesn't remove listings unless the user satisfies their criteria, no matter how old the listing. I've seen a dynamic IP address blocklisted when the explanation was a single spam received from that IP address two years earlier. What use is that entry on the blocklist, when the source of the spam is surely no longer logged into that address, has hopefully run an antivirus scan by now, and has no way of knowing the blocklist was ever added to his former IP address?

Spamcop's system of auto-aging listings based on the number/duration of abuse incidents makes much more sense.

Link to comment
Share on other sites

Not a lot of people rely on the SORBS blocklist, because of their reputation for being over aggressive. The blocklist is used as a weapon against ISPs that host spammers, rather than as a useful tool for people who want to filter spam.

And SORBS doesn't remove listings unless the user satisfies their criteria, no matter how old the listing. I've seen a dynamic IP address blocklisted when the explanation was a single spam received from that IP address two years earlier. What use is that entry on the blocklist, when the source of the spam is surely no longer logged into that address, has hopefully run an antivirus scan by now, and has no way of knowing the blocklist was ever added to his former IP address?

Spamcop's system of auto-aging listings based on the number/duration of abuse incidents makes much more sense.

I agree, but (for other readers) don't confuse the SORBS spam.dnsbl. and dul.dnsbl. lists as so many do. The latter aims to list all dynamically-allocated IP addresses whether or not spam is or ever has been listed. And SORBS has sought out entire blocks to list, regardless of activity (spam or otherwise) on any of the addresses. That list is for people who need to blanket-deny SMTP (or other) contact from any dynamic address. But I think there are some SORBS users who use that one within aggregate zones without even thinking about their actual needs. And there have been complaints that SORBS goes too far in dul.dnsbl., it lists static addresses and won't be told differently until all the problematical hoops are jumped. But those are not the same hoops as must be jumped for spam.dnsbl. listings. Those spam.dnsbl. lists retain addresses long past the "use by" date for actual spammer use. Probably - or certainly in some cases when activity is considered. Which is why SORBS has different lists for interrogation (including "new.spam.dnsbl.," or whatever).

I'm no SORBS apologist but I do have an acute sense of justice. Obviously not all lists suit all users and NO list is at all "convenient" from the POV of the general public who might find themselves blocked (not even the SCbl) so there is always going to be furore. And maybe some of the technical argument contesting some listings in SORBS dul.dnsbl. is correct (or maybe not, I don't know). But in my (non-technical) view, 95% of the SORBS criticism is well wide of the mark, is hopelessly confused in failing to recognise the differences in the several lists and is better directed to either the service providers with addresses that are blocked (in many instances they really should be better-managing their networks) or at those that use SORBS to do the blocking without considering the options, even within SORBS, to achieve something better suited to their actual needs - then finally at SORBS for not doing a better job of educating their users to choose the right tools from the selection available. And for not suffering fools a little more gladly. :P

Link to comment
Share on other sites

...So how do you see the accuracy of dul.dnsbl versus the Spamhaus PBL list?
I've never tried to evaluate either. I do know that, despite its reported aggressive addition of IP address blocks, dul.dnsbl is nowhere near complete and on the other hand, as said, it does contain some factually static allocation IPs and it can be a bugger to get those delisted. I haven't researched Spamhaus's listing policy or process, nor the delisting/update provisions that must be part of the list maintenance. Sorry.
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...