Your Emails Not Working? It’s Not Just You – #sorbs

Update: Michelle Sullivan from SORBS comments below.

Update 2: Michelle comments again with an explanation of what went wrong.

Update 3: Check out our full interview with Michelle Sullivan about SORBS, blacklisting, the tech running behind the scenes, and their recent database problem.

Did you send an email today that got bounced because of something called SORBS? You’re not alone. Last night, the SORBS anti-spam blacklist (their site is slammed right now) accidentally updated their databases to include an enormous number of the Internet’s mail servers and networks. (The complaining on Twitter is intense.) Large portions of IP addresses owned by Amazon, Google, Rackspace, and others were included in this blacklist and marked as unacceptable for email.

If your mail server happens to live within those IP ranges, then you can’t send emails today to anyone else using the SORBS blacklist. Since tons of companies and people use those ISPs for hosting mail servers, you can imagine the pain and suffering this is causing.

So how does this all work? Anti-spam networks like SORBS were created as a way to reduce the amount of spam sent and received around the world. Spammers, like most email users, tend to send their emails from one or two mail servers. If you can locate the originating mail server for a piece of spam, then it can be put into a “blacklist” of known spammers. Those blacklists are compiled and shared by independent groups, like SORBS.

When an ISP receives a piece of email, it will check with the blacklist to see if that email came from a known spam server. If it did, then the ISP will simply reject the email entirely. It works pretty well – unless the blacklist becomes corrupted.

And that’s the problem with an “off or on” system like this that everyone uses. One corrupted database, accidental data entry, or misconfiguration is all it takes to create mayhem around the world for millions of innocent users.

By the way, if you run an email server that uses SORBS for blacklisting, you might want to disable the SORBS checking until this gets resolved.

Updated: More details from SANS ISC.

Essential Guide to Mobile App Testing


  1. Will Johnson says

    Hey Michelle, are you going to fix SORBS to stop blocking dynamically assigned IP addresses within AOL ? Or are you still going to keep penalizing AOL users for something they have absolutely no control over?

    And how about some transparency at SORBS over this fictitious “Legal Defense Fund” ?

  2. Tweeks says

    Thanx Stanton.. Yes.. I red that. I was one of the fist posters on Twitter about the issue. I Was just looking for something more official from the folks (person) at SORBS.


  3. Tweeks says

    Hey @michelle..

    Is there a timeline or official listing of the events anywhere that you all can provide us with that we can in turn give to our customers?

    I think at least this much is due..;)


  4. says

    Pete – I actually agree with you, but I don’t think most people setup their filters that way. And if they did, what’s the criteria you use to assign weights to different kinds of DNSBL flags?

    I don’t think there’s a real standard of filter behavior out there that addresses this. If there is, please do pass it along.

  5. Pete says

    There is no compulsion to configure DNSBLs such as sorbs in an “off or on” configuration. By doing so you delegate the accept/reject decision to a (flakey in the case of SORBS) third party which is really not a good idea. DNSBLs are very useful but only as a single piece of information to be evaluated along with all other information about an incoming message.

  6. says

    Problem located. During our Migration from SORBS1 to SORBS v2.0 the historical DUHL listings were migrated and the historical flag as not set at the same time. Net result is 400k netblocks were inserted as ‘current’ where only 300k were live listings, the remainder (in some cases sizable ones) were relisted when the netblocks themselves had been repurposed as ‘static’.


  7. says

    We have experienced a DDoS attack today which was ‘smart’ we have mitigated it so the site is now operational if a user waits about 10-15 seconds for the response.

    We have had reports that we have a database corruption, there is no evidence of that but to be safe we have emptied the DNS zone files and the rsync files until we can check the database for any possible errors. We expect this to be complete within 24 hours.


  8. Printoutlet says

    Looks like a major issue, some Gmail, Yahoo and a lot of other mail servers were blocked by SORBS


Leave a Reply

Your email address will not be published. Required fields are marked *