Monday, July 17, 2006

UCE: SORBS is incorrectly identifying static IP addresses as dynamic

I recently had a customer submit a ticket indicating that they were unable to send email to a particular domain and that they were receiving an NDR. After asking them to send me a copy of the NDR, I started by checking DNSstuff to verify that the customer’s IP hadn’t been added to any block lists. With the exception of SORBS they hadn’t been added to any other lists. This fact was my first indication that the issue was probably not a spam/uce/virus issue on an internal host.

Having then received the forwarded NDR, it confirmed that SORBS had indeed added them to their block list.

Your host was found in the DNS Blacklist at

After doing a lookup of the IP address in the SORBS database, I noted the following error:

Dynamic/Generic IP/rDNS address, use your ISPs mail server or get rDNS set to indicate static assignment

Just to get some further confirmation, I checked IP addresses in the range near the affected IP, and the entire range was actually block listed, with SORBS noting that the range was a dynamic range. Next, I confirmed that there wasn’t anything out of the ordinary going on in terms of hosts on the customer network sending out uce/spam/junk, and then proceeded to request that SORBS remove the blocked IP.

While waiting for a response for SORBS, I used nslookup to check out the rDNS information for this domain.

set type=ptr

The nslookup results indicated that rDNS was setup properly, with the PTR pointing to “” (where xxx-xxx-xxx-xxx = the customer’s IP address).

The first response I received from SORBS support indicated that my delisting request was “rejected”, stating that the IP address in question was “dynamic”, and provided three options as far as a path-forward.

1) Send your email through your ISP's mail servers, as suggested in various places at our website.

2) Have your DNS data modified so that the listed IP address has a clearly non-dynamic rDNS. We suggest that you include the keyword "static" on this name, to avoid future listings. Also, insure that the TTL is set to no less than 43200 seconds (we recommend 86400).

3) Ask your ISP to get in touch with SORBS with the list of dynamic and static IP allocations within its network, so that our DUHL list can be updated. Note that many large ISPs do this periodically to reduce the inconvenience to its users. In this case, the communication must come from a RIR contact for the affected IP space.

The IP address is a static address - both our records, and the billing information confirms this, further it has been static for a number of years. Since option 1 wasn’t going to meet the customer’s needs, and since the ISP would need to handle making any changes to PTR records, we had to bring in the ISP on option three to request delisting on our behalf. We reported the issue to our ISP customer support, as well as to our ISP’s abuse address (e.g.

SORBS specifically wants PRT's to identify addresses as static, and points to an RFC draft on suggested generic naming schemes as the source of this requirement, such that a PTR of "" might be considered to be dynamic, while a PTR of "" would fit the model that they want.

The ISP's Abuse Team was the first to respond, and indicated that SORBS is infamous for blocking based on PTR’s not looking static enough. They then submitted a request with SORBS on the customer’s behalf to prompt delisting.

As soon as I confirm that this issue is resolved, I will follow-up with a post.

No comments: