[AusNOG] Network Operators Unite Against SORBS

[Michelle Sullivan]

Damien Gardner Jnr wrote:
> On 13/10/2010, at 10:59 AM, Cole, Patrick wrote:
>
>> Personally,  I'm sick of SORBS wasting my time with their DUHL 
>> listings on IP address space that has been re-purposed from dynamic 
>> to static.   After six months of logging tickets I finally got all 
>> our static blocks delisted a few months ago, and now just in the last 
>> week suddenly the whole lot have been listed again, and their website 
>> was also broken at the time making delisting impossible.    A week 
>> later, customers are still complaining.
>
> I'm guessing you're not on the SORBS mailing list - it's been a busy 
> couple of weeks for them :)  They were apparently migrating from their 
> 'old' database, to a 'new' database, and something broke in the 
> process, so instead of happening overnight, it took over a week..  And 
> in the middle of that, a whole bunch of old listings re-appeared. 
>  Mat^H^Hichelle posted on the 8th that that was now all fixed and the 
> migration was completed.

More than one error, and it turned out to be my fault.  A programming 
error which switched 2 variables (and there for columns) in the database.

We have been running without the Spam and Web/Hacked databases being 
exported for over a week now because of the problem.  Today we will 
re-migrate the affected flag which will resolve it.
>
> Seems they have some new delisting policies with the new owners.. - 
> get your netblock blacklisted (rather than just a single IP), and you 
> have no option except to pay the 'donation' ? hrrrm
>
There are new policies, the policies have not been updated on the 
website yet as I have been busy fixing the incorrect listings.

Basically, SORBS2 allows a network operator to register and delist IPs 
within set limits for the spam and web databases.

First time listings 48 hours + (timeout * number of spams) (max 10 spams)
Second time listings 48 hours + (timeout * 2 * number of spams) (max 50 
spams)
Third time listings 48 hours + (timeout * 5 * number of spams) (max 100 
spams)
Forth time listings 48 hours + (timeout * 10 * number of spams) (max 250 
spams)
Fifth time listings 48 hours + (timeout * 28 * number of spams) (max 500 
spams)

If you are over the max spams you have to log a support ticket.

The spams should not be more than one for any single "spam run" as we 
block the host at the spamtrap server when it is listed for the 
following 24 hours.  So in theory you'd have to be spamming 10 days in a 
row to exceed the first listing limit.  In practice the time to block vs 
amount of connections incoming could cause more than one to get through 
but the most I have seen has been 3.


We also have paid support staff now as well as the volunteers so support 
is getting quicker.  Several weeks ago we were 1 month behind answering 
tickets, we are now down to 6 days.  I expect this to be 24 hours within 
another week or 2.  Escalated listings are still way behind, but if you 
have an escalated listing you have ignored the spam problem in your 
network for way too long, so we will prioritise those who are more 
active (even if reactive.)

The DUHL Queue processing is currently suspended whilst we complete the 
change over.  This will only be a few more hours then I expect the month 
of back log to be caught up within 4 or 5 days.

That said shortly Operaters will be able to login and update their 
complete static/dynamic/business etc ranges directly.  This utility is 
already there and was added with SORBS2 if anyone wants access they can 
log a support request *from the email address registered in the whois DB 
for the networks concerned* and we will give them access.  The access 
will allow them to see the process however it stops short of actually 
changing the database itself until I am confident that the other bugs 
that reared up have been successfully nuked.

Best regards,

Michelle @ SORBS