El servicio de listas negras o black list es un sistema muy utilizado en todo el mundo como una de las principales armas o herramientas de lucha contra el correo basura o spam. Yo, como administrador de un servidor, me suscribo a una lista negra en la que confío, de forma que rechazaré sistemática y ciegamente y por medios técnicos el correo que proceda de aquellas máquinas que, según dicha lista negra, sean emisoras de spam. Listas negras las hay a montones, unas más conocidas que otras y, sobre todo, unas más serias que otras. Serias y fiables (hasta que se demuestre lo contrario) son, por ejemplo, SpamCop y SpamHaus. Pero una lista nada fiable ni seria es la lista SORBS que se distingue de otras en que para eliminarte de su lista hay que pagarle 50 dólares. Si no pagas, ahí seguirás. Es, evidentemente, un sistema que pretende extorsionar a los administradores de sistemas. Si solo fuera esto, la estrategia de un pícaro para ganar dinero, la cosa no pasaría de ahí, de uno que quiere hacerse rico por el camino más corto. El verdadero problema se manifiesta cuando se constata que una cantidad importante de responsables de servidores institucionales usa SORBS como herramienta antispam. Es decir, se fía del primero que pasa para vetar el correo, todo el correo, procedente de un servidor.
Tratemos entonces de no usar SORBS en nuestros servidores y usar listas como SpamCop y SpamHaus que si son fiables.

Has tenido alguna experiencia buena o mala con listas negras? Coméntalo LISTAS NEGRAS.
Artículo completo en http://dominioyhost.blogspot.com/

1 comentario:


    SORBS (aka dnsbl.sorbs.net, SORBS) is a fake blacklist started by Mathew Sullivan, who worked until recently as a system administrator at the University of Queensland in Brisbane, Australia. Recent checks of the University Staff list no longer indicate Sullivan as a staff member.

    SORBS seems to have started around 2002, just after ORBS was shutdown, with a SourceForge project to implement an open relay scanning tool. The scanning tool doesn't seem to have been very successful. It is remarkable only as an example of bad programming.

    SORBS is somewhat unique in that it extorts money from victims and subscribers. Subscribers are few and far between. SORBS has blacklisted the entire IP address space used by Av8 Internet, approximately 67,000 IP addresses, since May 2003, falsely claiming the IP addresses are somehow stolen. . Only a few dozen sites have been found to use SORBS. They don't use SORBS long.

    SORBS is very similar to ORBS.ORG. ORBS was a fake blacklist run by Alan Brown. ORBS was shutdown after losing 2 defamation suits involving making false statements about ISPs that Brown didn't like(Actrix, Xtra). Brown was also found guilty in a third defamation suit (Domainz). This makes Brown a 3-time court-proven, habitual liar, who is also associated SORBS.

    Some complaints by new SORBS users

    If you are a SORBS Victim
    Do not bother contacting SORBS. Contact the blacklist user by some other means, and ask them not to use SORBS. Have them review the claims for 130.105/16 and 198.3.136/21. Even if you are not an Av8 Internet customer, this listing demonstrates the disreputable character of SORBS and Sullivan well beyond what written history can do.

    See Laws

    History of Conflict with Av8 Internet, Inc
    The story begins when Dean Anderson revealed that Alan Brown of ORBS was involved with conducting abuse of open relays. Av8 Internet and its predecessor has operated protected open relays since 1996, and no commercial bulk emailer has ever attempted to abuse its relays.

    On March 28, 2003, Alan Brown, sent email to the SPAM-L list claiming that 130.105/16 and two other blocks were "stolen" March 28, 2003. There is no support for this claim. This first claim was ignored. Brown's second claim on May 15, 2003, was apparently picked up by SORBS operator Mathew Sullivan. According to SORBS records, on May 21, SORBS operator Mathew Sullivan began listing the blocks as "Hijacked/Zombie".

    The Original Listing

    > The full listing is:
    > Netblock / 16
    > Summary The OSF doesn't exist anymore, making this hijacked.
    > Announced By [1784] Global NAPs Networks
    > Entry Created Wed May 21 11:51:29 2003 AEST
    > Record Updated Wed May 21 11:52:38 2003 AEST
    > Currently active and flagged to be published in DNS
    > Spam has not been received from this netblock.

    The other blocks are 198.3.136/21 and 199.172.128/21. 198.3.136/21 is directly assigned to Av8 Internet, Inc. The other block, 199.172.128/21 was assigned by UUnet in 1994. More on that below.

    To give you some idea of how little-used SORBS is/was this block was not noticed for over a month. In June, 2003, shortly after a Nanog meeting, we were contacted by a UUnet Admin demanding we return some IP Address space.

    If you are not already familar with how IP address space is hijacked, you should review How IP addresses are hijacked

    Veracity of The UUNET Block (199.172.128/21) Claim
    Sullivan cites this incident as 'evidence'. The incident is only evidence of successful deception of ISP administrators by Sullivan.

    Predecessors of Av8 Internet obtained Internet Connection to UUnet in 1993. Av8 terminated this UUnet connection in 2001 and was not due under UUnet's policy to return the UUnet IP space until Feburary 2004. After creating false entries May 21st, Sullivan tricked a UUnet Operations Group staff member Chris Morrow in inappropriately demanding return.on June 1st, 2003. Morrow was unaware that Av8 Internet was previously a UUnet customer and unaware of the proper return date for the IP Address space, as well as other issues. Morrow was misled by Sullivan. UUnet Operations Group operates the network equipment. Another group handles provisioning. This incident with UUnet demonstrates the intent to interfere in the business operations of Av8 Internet. Chris Morrow was misled, and the incident unnecessarilly harmed Av8 Internet operations, as Sullivan and Brown intended.

    Veracity of the 130.105/16 Claim
    The OSF does exist and simply surfing to www.osf.org takes one to www.opengroup.org. Plainly, if the OSF has never gone out of business, its address space is not hijacked. Even after learning that the OSF exists, Sullivan wants to know the details of the relationship between OSF/TOG and Av8 Internet. Sullivan is not entitled to this information, and by law it cannot be provided to him by Av8 Internet, beyond acknowledging that OSF/TOG is a customer of Av8 Internet.

    The American Registry of Internet Numbers (ARIN) is the authority for the registration of this block. ARIN records Dean Anderson of AV8 Internet as the proper technical contact for this block.

    Veracity of the 198.3.136/21 Claim
    This block was permanently transferred by UUnet to a predecessor of Av8 Internet in 1993, which was common practice before Classless Inter-Domain Routing(CIDR) was introduced in 1994. It is directly assigned to Av8 Internet by the American Registry of Internet Numbers (ARIN). This space is plainly not hijacked.

    ARIN is also the authority for the registration of this block. ARIN records the block as being assigned directly to Av8 Internet, and records Dean Anderson of Av8 Internet as the proper technical contact for this block.

    Response by Av8 Internet
    A complaint was made to XO Communications (hosting www.sorbs.net and www.isux.com). Sullivan also threatened to "mailbomb" on www.isux.com. See more about mailbombing. Mailbombers are spammers. They just aren't in it for the money. Or possibly they are. SORBS asks for donations from victims to get delisted, and also seeks donations from Subscribers. It is very unusual for blacklists to extort money from victims. Extortion is not so unusual, but usually not so overt.

    Sullivan responded at 8:32 EST June 12, 2003. Later that day, a defamatory and nutty letter was emailed to The Open Group by Kai Schlicting.

    Then, the listing was changed to:

    Netblock: (
    Record Created:Wed May 21 01:51:29 2003 GMT
    Record Updated:Sat Jun 14 23:46:50 2003 GMT
    Additional Information:Waiting for response from The Open Group - still suspected
    and therefore listed.

    Note that this "still suspected" assertion is almost identical to the false spam claims made by Alan Brown against ISPs he didn't like. As Brown learned, one is required by defamation law to make statements that are true. However, a problem exists that if we sue SORBS, then like ORBS, it will just close and pop up somewhere else. A rather expensive "whackamole" problem. Sullivan has challenged Av8 to sue him, and says he has no assets to pay damages.

    Sullivan has later claimed (below) that Schlicting has nothing to do with SORBS, but the OSF has not been contacted by anyone else. Sullivan also claims that Brown has nothing to do with SORBS, but the claims come from Brown, and the wording and claims in the original block comes from Brown's message.

    It is interesting that SORBS also blocks 198.3.136/21 even though that block is assigned directly to Av8 Internet. The whole "story" about needing "proof" is just a lie.

    Netblock: (
    Record Created:Wed May 21 01:59:07 2003 GMT
    Record Updated:Fri Jun 13 23:24:45 2003 GMT
    Additional Information:More of Dean Anderson's Netblocks also appears to be hijacked.

    More emails

    Particularly interesting are the emails of June 2003, where

    Sullivan tries to weasel out of the XO complaint by claiming the www.sorbs.net and dnsbl.sorbs.net are different.
    Sullivan claims that "SORBS is however a non-profit company with no assets, no income and no debts, if you get your lawyers to do their home work, you can easily find out it's details."
    Sullivan "tires" of the discussion, says this discussion is "frivolous banter" and "spam", and threatens to block all further email.
    SORBS Information Scam/Identity Theft
    SORBS seems to be collecting a lot of sensitive information, just to view listings:
    Preferred Login ID:
    Confirm Password:
    Home Phone:
    Business Phone:
    Mobile Phone:
    Email Address:
    Autonomous Systems Number:
    Security Question:
    Security Answer:
    Skill Level: None, I can play games though.
    A little, just use them for email.
    Average, familiar with them, used at home and work.
    A lot, sysadmin or MCSE etc.
    My Name is Charles Babbage, or Alan Turing.

    This detailed information could be sold to IT recruiters, used for identity theft, password collection, or used for other mass marketing purposes. Security questions are often used by sensitive sites such as domain registries to authenticate users who have lost their passwords. This is very alarming information collection.

    Note: SORBS seems to have stopped asking for this information to view listing, as of a check made in May 2007.

    Extortion/Money Scheme
    SORBS has begun to demand money from victims as well as users. More on this as it comes in.

    Current Contacts
    The current state of affairs can be seen by comments on this email from Sullivan: (comments are in italics)

    Date: Wed, 30 Mar 2005 10:20:34 +1000
    From: Matthew Sullivan -matthew@sorbs.net -
    To: nanog@merit.edu<
    Subject: FYI/OT: AV8 zombie listing in SORBS & the rantings of Dean A

    Dean Anderson wrote:
    >Hi folks. A few points about Sorbs (I've also started a web site
    >www.iadl.org to track abuse of the internet for defamation purposes. The
    >web site isn't finished, yet.)
    >1) Someone said Sorbs is just Matthew Sullivan.
    >Well, _Sullivan_ said it isn't just him. Yeah, sure, that has
    >However, my own experience with Sorbs has revealed that it is also Alan
    >Brown (formerly of ORBS) and Kai Schlicting. We all remember Alan from the
    >ORBS shutdown, I hope. Alan was found by three courts in separate cases to
    >be defaming people (two by using a blacklist).
    Dean, this is so far off topic its not funny. I am not going to discuss
    this further on NANOG, should you wish to discuss it you are welcome to
    join dnsbl-users@sorbs.net and make your case there (as anyone
    interested is welcome to subscribe and take a look).

    Anderson and others have tried discussing things with the script kiddies on spam-l. Anderson has tried with Steve Sobol's FREE list. That's fairly useless. Script kiddies have no interest in truth or facts. They are never wrong. And if any start to come around, the discussion is quickly ended.

    My information is that you did not apply for the address space in
    question for AV8, and that you took the address space from your former
    employers when you left by virtue of being the admin and technical
    contact for the netspace.

    The 130.105/16 space, as of March 2005, belongs to the Open Software Foundation, aka The Open Group. There is no reason for AV8 to "apply for it". But note the similarity with Kai Schlicting's nutty assertion that somehow OSF/TOG can't let AV8 use it. The 198.3.136/21 space is directly assigned to Av8 Internet, and was transferred in accordance with ARIN documentation requirements.

    That information has come from multiple reputable sources.

    Apparently not very reputable. But more importantly, it did not come from the authortative sources: The Open Group, and did not come from ARIN. They are the only authoritative sources. No one else is authorized. So Sullivan is a liar, as are his "sources", if indeed, he has sources other than Alan Brown.

    I have repeatedly asked you for proof that you are the rightful owner of the
    netspace, and am still waiting for that proof

    Sullivan has repeatedly been told to look at the ARIN record: The rightful owner for 130.105/16 is the Open Software Foundation, aka The Open Group, as listed on the ARIN registration. Dean Anderson has never said he is the owner. Anderson is the authorized contact. He is authorized by The Open Group to use the space. The rightful owner of 198.3.136/21 is Av8 Internet. Like everyone else, you can check ARIN, which is the authoritative Regional Address Registry(RAR).

    - I'll be happy to delist any Zombie/Hijacked listings as soon as the
    rightful owners have the netspace in their possession and where they
    think they are the rightful owners and the information suggests
    otherwise (your case), a small piece of evidence is required for the
    delisting (eg a copy of a letter from the OSF stating that they gave you
    the netspace as a leaving 'present')

    There is no information that "suggests otherwise". An outright lie by Sullivan. There is no need for anyone to provide a letter to SORBS. This is a fallacy that is known as a "false authority", and SORBS uses many of the fallacies associated with false authority. This is yet another attempt at "social engineering" information that is irrelevant to the question of "ownership" or hijacking.

    .... and some facts that you seem to be lacking:

    Anderson is the assigned contact for the address space. OSF still exists and does business as The Open Group. Anyone can browse to http://www.osf.org or http://www.opengroup.org. Sullivan, like Alan Brown in his three lawsuits, is lacking "an honestly held belief". It is interesting that Sullivan defends himself as having an "opinion". Most people speak the truth, and defend themselves from defamation by claiming truth as a absolute defense.

    SORBS was created by me and I along with 18 other volunteers run it.

    Funny that no one else seems to talk about their participation. I participate in organizations, and I talk about that participation. Funny that no one seems to talk much about associating with SORBS, except as a misled user. Actually, I note that Paul Vixie of ISC.ORG is associated with SORBS.

    Neither Alan nor Kia have anything to do with SORBS (neither past or present).

    Brown originated the claims on spam-l http://www.iadl.org/ab/AB-defame0.html in March 2003.

    Kai contacted The Open Group http://www.iadl.org/ks/tog-defame.html hours after Sullivan responded to the first complaint. No one else has made any contact.

    My sites have not been, nor have ever been, booted from XO netspace (ns1.sorbs.net
    and http://www.isux.com/ ).

    Shortly after this complaint, sorbs.net was moved off of XO to ISC.ORG, and www.isux.com was simply shut down. As of 3/31/2005:

    www.isux.com. 3600 IN CNAME vortex.isux.com.
    vortex.isux.com. 3600 IN A
    The IP address belongs to XO, but no response is found on port 80.

    I have never been a student of The University of Queensland.

    This may be true. Presently, UQ has a search engine which lists Sullivan as a member of its IT staff.



    PS: If you reply in NANOG, don't expect a reply from me this is OFF TOPIC!

    Abusive blacklists are a frequent topic of NANOG. In particular, SORBS abuse has been discussed several times on NANOG. Sullivan posts frequently on blacklist issues.




Normas de uso: Los comentarios, quejas y opiniones son de los internautas, no de los creadores de dominioyhost.blogspot.com. Si tienes alguna queja debes identificarte. No está permitido verter comentarios contrarios a las leyes peruanas o injuriantes. Reservado el derecho a eliminar los comentarios que consideremos fuera de tema.