Interview: Michelle Sullivan, Founder of SORBS – Part II
In Part II of our interview with Michelle Sullivan we discuss the future of spam blocking; whether or not blacklists or algorithms are still the best spam prevention method; the dreaded SORBS fine; and how Michelle would change email if she could. If you missed Part I of the conversation, you can find it here.
uTest: SORBS catches a lot of flack for some of its heavy tactics, like fines. Do you think these tactics work, as opposed to more educational or consultative approaches? Is there room for both?
MS: We have also gained some real support for taking such a hard line.
The SORBS fine does not exist any more.
With the deployment of SORBS v2.0 we have discontinued the fine; instead we are taking a time-based penalty approach. I have in the past been a supporter and a hater of the SORBS fine, which often confused people. I hated having it, but saw no other option. I believe that people running the servers for spammers, whether knowingly or unknowingly (e.g., by having a robot on their machine) or ISPs and hosters running the DNS and webservers for profit are responsible for the spam in their own way. I feel that those people need to be encouraged to take a more responsible and active role in the prevention of spam by proactively ensuring their machines do not participate in botnets, that their sales staff do not sell ‘pink contracts’, etc. The fine outraged many people, until they realised that:
- SORBS never received a penny of the fine
- They wouldn’t likely have actually done anything if they could ‘just delist’
- Policies for some very large ISPs of the world have changed because of it
uTest: People seem to have a love/hate relationship with blacklists. On the one hand, they cut down on a lot of spam. On the other hand, nobody wants to be a false positive. The consequences of having a mail server accidentally be blocked can be catastrophic for a business or individual. What kinds of processes does SORBS use to make sure each listing is legit?
MS: This goes back to my previous comments on transparency all the submission systems for SORBS v2.0 are based on specific events, and they are automated, this means that there is virtually no possibility of error. Of course this doesn’t mean a thing if your error-free data is mangled on transfer when performing a migration, but within normal SORBS operation every piece of data is signed by the host in a way that is easily detectable that the host sent the data and it is un-tampered with. Should the tamper check fail, we discard the information, even if it is legitimate. This helps us ensure that the data in the database is always correct at time of insertion.
uTest: The Internet has grown and changed a lot since the creation of the first blacklist. With so many people using email for all kinds of communication, do centralized blacklists still make the most sense as spam prevention mechanisms?
MS: Defense in Depth is the key to the whole debate. No one blacklist should be used without careful consideration. No one non-blacklist method should be used without careful consideration. This does not mean that it is wrong to use SORBS as the only external blacklist, it means you should be using SORBS with other technologies (such as a local or global whitelist) as appropriate to your systems.
To give an example, I use SORBS on my mail server at home, I also use a variety of DNS, recipient and sender verification checks. Each of these methods are “make a match and you’re blocked” rules, however I have a set of rules that precedes the blocking rules that say, “if it looks like this, it might be ok” or “if it’s from here, skip this check”, etc. Net result is at home, and with GFI MailEssentials I receive virtually no spam in my Inbox, and those that get past the initial checks are routed back to SORBS to improve the catch rate for SORBS users. The connection rate to my poor old mail server is averaging some 100,000-150,000 connections per day, were I actually receive about 50-100 non spam emails out of that.
uTest: Should we, for example, be putting more faith in algorithms?
MS: You need to evaluate the problem you face and take appropriate action, if this means using algorithms then you should use them. I use blacklists, heuristics and some very special personal algorithms on my home server, so I don’t see why you shouldn’t. The important part as I mentioned before is that you should not rely on a single method, especially as there are products like GFI MailEssentials that will combine the many methods into an easy-to-use central interface.
uTest: What kind of tech runs behind the scenes at SORBS?
MS: As with any large database and web system there is a centralised cluster of servers that are used to analyse incoming data as well as provide reporting and distribution capabilities. Outside the central cluster, the systems are distributed to as many networks as possible in as many geographically separate locations as manageable. This is to assist resilience whilst maintaining a good level of control. It is not uncommon for SORBS servers to be attacked by Distributed Denial of Service attacks and as such we have made the systems as redundant and as distributed as possible.
Actual technical specs are naturally confidential, but the SORBS v2.0 database runs on the PosgreSQL relational database and the new SORBS v2.0 website and systems run on more than 78,000 lines of perl code (not including the monitoring (nagios), support (Request Tracker) or database replication software (Bucardo) which is provided by others.)
uTest: How many people contribute to the operation?
MS: There are two distinct parts of SORBS: the volunteers and the GFI staff. We have five very active volunteers and several part-time volunteers. We have myself and Katie, the full-time SORBS support person, and we have the management of GFI and a number of other staff (researchers, marketing, and technical writers) that have worked on SORBS or are working on SORBS.
uTest: If you could change the way email works in this world, what would you do?
MS: I don’t think I would change it, I have thought long and hard about the problem of spam and viruses and have come to the conclusion what makes email work is what enables the viruses and spam in the first place. I can see no way around it.
Email systems have to allow ‘unknown’ connections that can say they are who they are completely anonymously. There is no option in that respect, and as such the spammers can use this core functionality against us.
Options that I have considered are a ‘web-of-trust’ type email system, where you only trust your neighbours; this would work well, except when it comes to new servers and new domains. How would anyone ever send mail from a previously unknown location? Of course if there is a method to counter this, the spammers and virus creators would exploit the method to spread their rubbish.
Centralised and decentralised authentication mechanisms are a great idea (particularly the latter) but again suffer similar flaws, if its centralised there is a single point of failure and if it is decentralised, there is the problem of administration of who gets to do what and can spammers get into it (this is very similar to web-of-trust.)
Pay-for-delivery models would stop spammers in their tracks if the cost is high, but the problem is the administration of who pays what, and what happens if the world’s largest email providers say, “we don’t like you, so if you want to send email to us, it’ll cost you $100 per email” or some similar scenario. How does a home user, or small business collect from the likes of AOL or Hotmail, and what happens if gmail says, “we’re not going to accept mail unless you have $10,000 credit with us” etc?
Governmental administration wouldn’t help either; yes sure there would be many more jobs created just in the administrative overheads, but really which government would control the pricing and services? The whole idea is a non-starter in so many ways.
The Internet was made to be resilient and to enable messages to be able to take many different paths so that they get through. This is what makes both the Internet and email so good, so useful and so revolutionary. To change the way it works would change the core of what it is, we have to take our hands off it and stop the spam via more traditional methods: Put the miscreants in jail, stop them making money, make it too costly for the business model to work and hopefully they’ll go do something more useful instead.
Best regards,
Michelle Sullivan
SORBS Engineering Director
GFI Software
Editor’s note: We hope you enjoyed our two-part interview with Michelle Sullivan. If you have an idea for a future interview, send your suggestions to marketing@utest.com.
[...] Check back tomorrow for Part II. [...]
sorbs is by far the most useless service on earth, I prefer to delete 500 scam mails more every single day instead of losing important mails that are critical for my business. sorbs is not the solution but the problem, if I wish to block mails I can do this a t a personal level, I dont need anyone to judge what mails I want and which ones I dont want. Mailservers of 1und1, gmail and yahoo are on theyr lsts, blocking millions of real emails, this is is a joke.
mike: You are missing the point of DNSBLs like SORBS.net. Your problem is that your ISP is listed because they meet SORBS’ criteria, and you need to either get your ISP to resolve the listing (usually by terminating accounts that are operated by spammers), or switch to an ISP that refuses to provide services to spammers.
Randolf: You are wrong. We are the ISP, and we deal with this useless guys past 4 years. We gave all our subnets both currently assigned, and unassigned. Recently we assigned 4 number of /24 subnets for our customers statically from Aug 1st to till date (those are unassigned previously and listed on DHUL by default), We send the request to them 2 in August and 2 in November. Until now, i didn’t receive any update from these useless fellow, and we are unable to answer our customers those are running servers behind their IP.
STOP USING SORBS. SORBS was started by an arrogant person and the same person is extremely arrogant and non-listening to this day. EXCESSIVE false positives. Did you hear what I said. EXCESSIVE FALSE POSITIVES – FOR NO REASON – and the SORBS “founder” hasn’t a clue. Punish 1000 for the sin of 1 – THAT is the SORBS “mentality”. Do your own research online for ten minutes and find out what the MAJORITY of admins are saying – then STOP USING SORBS.
Thanks to SORBS, the FAX is making a comeback !
A few of my clients use SORBS, and now I back up every mail sent to them with a FAX.
Sorbs continually puts in its BL’s Yahoo IP’s and sometimes 1and1 IP’s (the 2 services I use).
It really is hopeless, some of my clients have listened and stopped using SORBS, because they were loosing sales, their clients just went shopping to other places when their emails requesting quotations bounced like a Basketball.
Thanks to SORBs, they have blacklisted over 65,000 IP addresses today because they blacklisted at /16 subnet. Absolutely brilliant. If not fixed quickly, my company will press legal action if any customer orders are lost.
Thanks you SORBS. Absolutely horrible that this has happened a second time in a couple of months. Didn’t you learn from the last mistake in October!
Also, they are owned by GFI, but if you call GFI they have no way to get in touch with SORBs. Isn’t that brilliant. How did you buy a company if you don’t know their email.
SORBS are absolutely useless. They blacklisted one of my server IP addresses for no reason, then took over a month to delist it.
SORBS has our newly assigned /24 class from ARIN in their duhl from 2003! No response to tickets. No automated way to remove it.
We tried autoremoval on 1 ip address and didn’t meet the TTL requirements even though it was set higher than their FAQ says.
As it turns out, their TTL is cached and literally counts down!! Try the unblock and then hit refresh, you’ll see it counting down. How can we possibly meet the FAQ’s TTL when it’s counting down!