Update: Michelle Sullivan from SORBS comments below.
Update 2: Michelle comments again with an explanation of what went wrong.
Update 3: Check out our full interview with Michelle Sullivan about SORBS, blacklisting, the tech running behind the scenes, and their recent database problem.
Did you send an email today that got bounced because of something called SORBS? You’re not alone. Last night, the SORBS anti-spam blacklist (their site is slammed right now) accidentally updated their databases to include an enormous number of the Internet’s mail servers and networks. (The complaining on Twitter is intense.) Large portions of IP addresses owned by Amazon, Google, Rackspace, and others were included in this blacklist and marked as unacceptable for email.
If your mail server happens to live within those IP ranges, then you can’t send emails today to anyone else using the SORBS blacklist. Since tons of companies and people use those ISPs for hosting mail servers, you can imagine the pain and suffering this is causing.
So how does this all work? Anti-spam networks like SORBS were created as a way to reduce the amount of spam sent and received around the world. Spammers, like most email users, tend to send their emails from one or two mail servers. If you can locate the originating mail server for a piece of spam, then it can be put into a “blacklist” of known spammers. Those blacklists are compiled and shared by independent groups, like SORBS.
When an ISP receives a piece of email, it will check with the blacklist to see if that email came from a known spam server. If it did, then the ISP will simply reject the email entirely. It works pretty well – unless the blacklist becomes corrupted.
And that’s the problem with an “off or on” system like this that everyone uses. One corrupted database, accidental data entry, or misconfiguration is all it takes to create mayhem around the world for millions of innocent users.
By the way, if you run an email server that uses SORBS for blacklisting, you might want to disable the SORBS checking until this gets resolved.
Updated: More details from SANS ISC.