Towards assessing SORBS' false positive rate

January 8, 2006

I was somewhat surprised to read in Chris Linfoot's blog that he uses SORBS, because I've always considered the top-level blocklist a little too aggressive. (Considering that I use SPEWS, this may be a little bit of throwing rocks in glass houses.)

(Update: Chris Linfoot does say that you need a good whitelist to use SORBS.)

Out of curiosity I decided to get a very broad sense of the potential 'false positive' rate for using as a whole by seeing how many IP addresses that had successfully delivered email to us over the past 28+ days were listed in SORBS.

Over this time period, 425 different IP addresses delivered one or more messages. 27 of them are listed in; since some spam mail gets through our blocks, these aren't necessarily all false positives. Let's take a look at who's included in the roughly 6% of successful mail deliveries that SORBS would have blocked:

  • and several hosts
  • a number of Hotmail machines. Yes, they emit lots of spam, but we do get legitimate email from them.
  • two machines

The overall list is a conglomerate of a number of different sub-lists. On checking, all 27 IP addresses were from the 'Spam DB' list, assembled from things that have hit SORBS spamtraps. Most of them are not listed in any other DNS blocklist (some are in and/or, both of which are very aggressive, a few were in, and one was also in

I'm not too surprised by this result, because I consider all automated 'hit a spamtrap and get listed' blocklists to be too dangerous (we don't even do this with our spamtraps locally; for most domains, they only cause email to get deferred).

(While we use, we use it to delay email, not to reject it. The logic behind this is for another entry.)

Needless to say, this is a little too aggressive for us to use here. While we could exempt the important domains we've seen today, there's no certainty that some other important domain we get email from won't briefly have spammer who hits a SORBS spamtrap and then blam. (Given some of the important local ISPs, I'm actually pretty sure that this will happen at some point.)

Comments on this page:

From at 2006-02-22 16:04:32:

This looks like a source of info for me currently suffering from a spammer operating from HELO ( (HELO ( Is there a way I can stop this menace?? Thank you for your assistance Joe

By cks at 2006-02-23 13:59:47:

I'm afraid that I've got no hints for getting's attention. They don't seem to have a registered contact address; might produce some results, or might not.

In fact, they sent enough spam (probably advance fee fraud stuff through their webmail systems) our way that we've blocked them entirely (it got mentioned in passing in SpamSummary-2005-11-19). Given the pile of stuff being reported in, it seems the right decision.

If you run your own mail server, block them. If you don't run your own mail server, you have a problem; this is why I can't imagine not running my own mail server on today's Internet.

Written on 08 January 2006.
« Some notes on Solaris 9's Sunscreen IP filtering package
Weekly spam summary on January 7th, 2006 »

Page tools: View Source, View Normal, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Jan 8 01:43:19 2006
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.