Introduction

The SORBS DNSBL is just list of numbers, nothing more, nothing less. The significance of these numbers is that they are related to hosts on the Internet whose condition/settings have included the particular vulnerabilities which we seek to eliminate, i.e., open relays, open proxies, etc.

As a prospective user of the SORBS lists you have a number of choices/decisions to make:

1. How aggressive at stopping spam do you want to be?
2. Do you want to trust the SORBS administrators as well a testing script?
3. Do you trust the scripts the SORBS administrators employ to identify badly configured hosts?
4. Do you run your own mail server?
5. Do you run your server for other people?
6. Do you want to reject email or just flag it as spam?

In addition to the above you also have to consider how much load you are going to put on the servers, including the SORBS DNS server. For instance, large or busy sites (more than 10 incoming emails per second) should be applying for zone transfers, rather than querying the SORBS server directly.

How do server administrators use SORBS...?

Server administrators may use SORBS by querying the server directly using their mailserver's features.

Configurations for common mailservers are:

• Using SORBS with Stalker CommunigatePro.
• Using SORBS with Lotus Domino 6.0.
• Using SORBS with Exim 3.x.
• Using SORBS with Exim 4.x.
• Using SORBS with iPlanet Messaging Server 5.x
• Using SORBS with Microsoft Exchange 2003.
• Using SORBS with Netscape Messaging Server 4.x
• Using SORBS with Netscape Messaging Server 6.x
• Using SORBS with Novell Groupwise.
• Using SORBS with Postfix.
• Using SORBS with PROCMAIL.
• Using SORBS DNSBL with Sendmail.
• Using SORBS with the Sun Internet Mail Server (SIMS)
• Using SORBS with Sun JavaSystems Messaging Server 6.x

Zones Available

        dnsbl.sorbs.net - Aggregate zone (contains all the following DNS zones)
   http.dnsbl.sorbs.net - List of Open HTTP Proxy Servers.
  socks.dnsbl.sorbs.net - List of Open SOCKS Proxy Servers.
   misc.dnsbl.sorbs.net - List of open Proxy Servers not listed in
                          the SOCKS or HTTP lists.
   smtp.dnsbl.sorbs.net - List of Open SMTP relay servers.
    web.dnsbl.sorbs.net - List of web (WWW) servers which have spammer
                          abusable vulnerabilities (e.g. FormMail scripts)
                          Note: This zone now includes non-webserver
                          IP addresses that have abusable vulnerabilities.
   spam.dnsbl.sorbs.net - List of hosts that have been noted as sending
                          spam/UCE/UBE to the administrators of SORBS.  This
                          zone also contains net blocks of spam supporting
                          service providers, including those who provide
                          web sites, DNS or drop boxes for a spammer.  Spam
                          supporters are added on a 'third strike and you are
                          out' basis, where the third spam will cause the
                          supporter to be added to the list.
  block.dnsbl.sorbs.net - List of hosts demanding that they never be tested
                          by SORBS.
 zombie.dnsbl.sorbs.net - List of networks hijacked from their original
                          owners, some of which have already used for spamming.
    dul.dnsbl.sorbs.net - Dynamic IP Address ranges (NOT a Dial Up list!)
        rhsbl.sorbs.net - Aggregate zone (contains all RHS zones)
badconf.rhsbl.sorbs.net - List of domain names where the A or MX
                          records point to bad address space.
 nomail.rhsbl.sorbs.net - List of domain names where the owners have
                          indicated no email should ever originate from these
                          domains.

Note: The web.dnsbl.sorbs.net domain includes infected Nimba and Code Red hosts, as well as hosts that contain FormMail scripts, or other known exploits that allow a remote user to use that host to sent/relay spam. Exploits that include guessing passwords will not be included. Where possible, servers will not be exploited in the process of testing.

SORBS Return Codes

SORBS returns 127.0.0.x codes to indicate which database the test result was obtained from. If you use the aggregate zone, the return codes will still reflect the specific database(s) from which the results have been obtained.

e.g. If 4.3.2.1.socks.dnsbl.sorbs.net returns 127.0.0.3

then

4.3.2.1.dnsbl.sorbs.net would also return 127.0.0.3.

If an IP address appears in more than one database and you query using the aggregate zone, all applicable codes are returned.

e.g. If in addition, 4.3.2.1.http.dnsbl.sorbs.net returns 127.0.0.2

then 4.3.2.1.dnsbl.sorbs.net would return both 127.0.0.2 and 127.0.0.3

Return codes are:

          http.dnsbl.sorbs.net    127.0.0.2
         socks.dnsbl.sorbs.net    127.0.0.3
          misc.dnsbl.sorbs.net    127.0.0.4
          smtp.dnsbl.sorbs.net    127.0.0.5
          spam.dnsbl.sorbs.net    127.0.0.6
           web.dnsbl.sorbs.net    127.0.0.7
         block.dnsbl.sorbs.net    127.0.0.8
        zombie.dnsbl.sorbs.net    127.0.0.9
           dul.dnsbl.sorbs.net    127.0.0.10
       badconf.rhsbl.sorbs.net    127.0.0.11
        nomail.rhsbl.sorbs.net    127.0.0.12

Additional Zones such as SPEWS...

In addition to providing the SORBS zones, SORBS also makes the SPEWS data available by DNSbl lookup.

As the policy of SORBS (and one of the reasons for creating SORBS) was the publishing of data that is fully under SORBS control, the SPEWS zones are not included in the SORBS aggregate zone. This is the same reason why SORBS does not present other DNSbl's' data.

For those wanting the SPEWS data by simple DNSbl lookup, SORBS provides the following zones as a courtesy:

l1.spews.dnsbl.sorbs.net - SPEWS Level one listings
l2.spews.dnsbl.sorbs.net - SPEWS Level two listings

Return codes for both these zones are 127.0.0.2

Note: The SPEWS Level two zone contains all the level one data - you do not need to query both if you are treating the data the same way.

Information for large sites

Large sites, please contact Matthew Sullivan before using SORBS. You may contact Matthew by using the contact information at: The iSux Contacts Page, or by using the Mail/Contact Form at: http://www.beta.sorbs.net/cgi-bin/mail.