SORBS Corruption Cause for False Positive Surge RSS


Over the last two days, sporadic reports have surfaced about an increased number of email misclassifications. It has now come to light that the sudden surge in false positives was caused by a corruption of the SORBS blacklist.

At this point, the issue has already been addressed by SORBS, still we advise affected ORF users to temporarily disable the SORBS blacklist, or putting the logs under deeper scrutiny in the following days.

According to Michelle Sullivan, founder of the now GFI-owned SORBS, there was a corruption of the database during a database migration that caused over 79 000 entries to be incorrectly flagged as spammers. Since most entries contained more than one IP address/domain, it is yet unclear how many domains were affected, but the numbers are possibly in the millions.

Sullivan explained that SORBS stores historic data on previously reported dynamic IP ranges that have since been repurposed as static. During the migration, the cleared flags were dropped from the historical entries, causing large network blocks to be falsely included in the blacklist. This problem was further deepened by an apparent DoS (Denial-of-Service) attack on SORBS servers simultaneously.


by Peter Karsai (ORF Team) 8 years ago

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

Email address (will not be published):
Your comment:

ORF Technical Support

Configuring, installing and troubleshooting ORF.

News & Announcements

Your dose of ORF-related news and announcements.

Everything but ORF

Discuss Exchange and system administration with fellow admins.

Feature Test Program

Feature Test Program discussion. Membership is required to visit this forum.

ORF Beta

Join the great bug hunt of the latest test release.

Customer Service

Stay Informed