Discussions

SORBS.net are you OK now?

Tags:
+
0 Votes
Locked

SORBS.net are you OK now?

Lei Fan
One of our clients called yesterday, 13th Oct 2010, their emails bounced back by recipient server. Great. I said to myself. The day before yesterday we helped to configure one Exchange transport rule to make an asp web app deliverying mails. Was it the cause? We reviewed every step. No problems. Then we did a blacklist check at mxtoolbox.com. It turned out the mail server ip was blacklisted at sorbs.net DUHL(dynamic ip). That did not make any sense to me. We used xo communication business solution. We have the rDNS record in place with ttl value 24 hours.

I went to sorbs.net for detailed info. Their website changed the look and feel. Clean and neat design with a web 2.0 flavor. But I was not in the mood to appreciate the new interface. I did a database check using their tool. Wow. The result really scared me. The IP was listed 4 times. 2 in the DUHL DB. 2 in spam db. I had an impression we had a serious problem with our email servers. But wait a minute. When I looked at the timestamp I was confused. The 2 DUHL items were from last year which happened due to the client office move and ISP switch. Those issues were resolved the second day. The 2 spam entries were from 3 months ago due to one of the remote user against the company policy and used home laptop with smtp trojan vpn into the network. We also cleared issue right away and restricted firewall rules.

So there was even no entry had a recent date on it. We were listed because of last year's history? I could not believe my eyes. But anyway, I planned to get them delisted first. What? Now sorbs.net requires a user login in order to submit a delisting request. Fine, I went through the process and setup an account. An activation request landed in my mailbox. I clicked the link. Web Page could not be displayed. Tried on different PCs, with different DNS settings, same thing. No way. How about filing a direct mail to the system admin to explain the issue? OK, the talkback feature was still there. But it said DO NOT mention anything related with delist, otherwise mails would be ignored. OK, I still decided to try my luck. Composed the email, click send, error ? no valid recipient. I knew it. I requested resent the activation links, 3rd time after hundred trials, my account was activated, and I could login. But the nightmare was not over yet. But at this moment, I saw a PROCEED button next to each entry? Which should I click, those were all old entries. I did all of them. There were 3 buttons after you clicked the proceed button. Submit Support Ticket, view ticket, and delist by yourself. I clicked Delist by yourself ? error: you are not authorized to perform this action. No surprise, I have to file 4 different tickets for those 4 entries. Luckily, I received the ticket notification right away. Unluckily, there were around 19,000 requests before mine.

What happened? I guess it was a DB crash, but no any official news out there. I did a google with ?SORBS.net issue? ? first item ? and here is the link: http://isc.sans.edu/diary.html?storyid=9685 explained everything. SORBS.net was under DDOS attack? DBs crashed? When migrated the DB, they migrated the historical data as current? I almost feel like it?s a big joke. But I felt relief when I saw there were ISP impacted, and we were not the only one. Until now, 14th, Oct 2010, still did not hear anything back from them regarding my tickets. I guess it would be normal since they would be extremely BUSY now. So I simply instructed my client inform their recipient who had issue with, if possible temporarily remove SORBS.net from their anti-spam solution since it would impact other senders as well, if not, whitelist us.

Now if I started to think it over again, was it a real DDOS? From my poor experience with their new interface and process, is it possible they made an upgrade but messed up the process/migration to the new servers? I had no idea. But here is my thoughts:
1. If you are a service company, no matter profit or non-profit firm, you should fully test your production environment before you put it online. Because you are responsible for your customers ? in this case, all the users who might need to use internet for messaging.
2. Again, if it is a real DDOS, do you have a security policy or do you have a recovery plan? I could not believe it started 7 days ago when users noticed it and after 7 days there were still impacts.
3. I understand you want to fight for spammers on the internet, and you want to be very COLD to those spammers who are trying to beg you delist them, so you have all those machine script, auto-replies. But do you even consider those legitimate users, those small business owners listed by mistake? Do they really understand what you have on your website? Those terms and policies? If you want to force them to read, fine, be polite and friendly. And even better, a human that someone can talk to.

Anyway, from my career which is technology related, I learned I should be patient, and I understand it takes time for you to get everything back to normal. And good luck to you guys. And at the same time I hope you also learned something from it. Also just FYI for those IT admins especially messaging admins find your mail delivery to certain recipients blocked for no reason.