SORBS Mis-listings

2025-04-10

Hey guys,

We'll, I've done everything a responsible net owner could possibly do before bringing this to WHT (not like badmouthing SORBS is even a decent investment of my $0.02, but still, airing dirty laundry isn't my idea of fun).

Anyhow, story is very basic. We house all of our reseller servers in a single (efficiently used) /24 of IP's (a class C, 256 IP's). About two months ago, an insecure php script was uploaded to the server, kiddies found it, and repeatedly found ways around the basic security, uploading scanners, and spam software. Each time, admittedly scans/spam did get out, until the first report, at which time, the files were located, and dealt with. It took us a bit to crack down on which script they were originating from (as they were all running as the user nobody, and reports typically took 24+ hours to come in, yet WHT is rotating the logs after each stats run (eg. midnight)). Needless to say, SORBS decided this was a rooted server (which it most certainly was not), and listed it as such:

Database of vulnerable/hacked servers

Address and Port: 66.199.xxx.xxx
Record Created: Sat Sep 4 00:37:36 2004 GMT
Record Updated: Sat Sep 4 00:37:36 2004 GMT
Additional Information: Possible RootKit installed.
Currently active and flagged to be published in DNS
If you wish to request a delisting please do so through the Support System.

Ok, so now I try to view the evidence files, curiously enough (after asking for my credientials) their system states it cannot locate any. So I try to get the host delisted, follow the instructions, and get an email reply back from their system:

Hi,

This is an automated response.

Someone, possibly you, sent a message to keysreq@sorbs.net requesting
the SORBS DNSbl retest keys for [66.199.xxx.xxx], [66.199.xxx.xxx]

If you did not request the keys, please ignore/delete this message.

Requestor IP: 66.199.180.20
Return-Path: admin@prioritycolo.com

Unfortunately no keys could be found. This could be for one of three reasons:

1) There are no keys for the IP addresses you submitted.
2) The email address you used to send the request from was not either:
a) Registered at abuse.net as a contact for the IP addresses
b) The responsible persons email in your DNS SOA record for the IP addresses
3) The IP addresses you submitted have been retested 5 times previously.

Thank you for using this automated service.

Notably by this time, I'm a bit frustrated. So I email SORBS, and wait a few days. No response. I then send a similar email to all of their contacts available on their web based submission form and wait over a week, no response.

By this time, theres a second server listed (which has not had any such abusive content even uploaded, much less activated to the best of my knowledge, no complaints in the past 3 months for those IP's by any reporting authority).

Now SORBS is stating "you are not authorized to view this information" when trying to look up the evidence file.

Notably I decide to sign up with SORBS (considering my user ID number is < 125, I'm guessing I'm one of the first). This does absolutly no good, still cant view the info, cant get the host delisted, cant even offer an explanation to state that it was simply an abusive php script running as nobody.

At this point, I'm beyond frustrated with SORBS, and their files do indicate that they were scanning our servers with a .cgi file to determine they were "infected" (which most would classify as abusive in itself), noted by the following on their page:

Additional information on the host is: /alya.cgi found possible Rootkit installation.

Notably I've signed up to their pathetic system (registered), input my information dozens of times to see if there were problems with their key checker, etc. and emailed everyone without any response aside from the automated system. At random times, I got error emails back from their own CGI's, hinting that there were indeed internal problems.

Has anyone ever run into this? Renumbering servers because some weak RBL has baselessly accused them of being abusive is not an option (especially since it's IP space SWIP'd to us). Notably they have no [functional] remove method, they have no [functional] contact methods, and they have no evidence files to indicate where they are drawing their conclusions. Also, other IP's in our blocks could be listed (since they have no method I could locate for a mass listing, I dont have time to scan 2k IP's by hand).

Advice from anyone whose dealt with this would be appreciated. Notably I see record here that SORBS used to charge a $50 delisting fee [notes in Spam Assassin config files for example] (though the terms are very confusing, part of it looked almost like "we'll remove you for free, unless you're still spamming, then you have to pay $50 to get removed" [by the way it was worded]), anyone know if that is still true (and wouldn't that classify as extortion?).

TIA,