Why SORBS Sucks

Now 7 days after the event, and SORBS is still listing our affected server.

Why do SORBS Suck? More to the point, why am I writing this negative blog post? I’m writing it because SORBS has demonstrated itself to be wholly unprofessional, slow, and inaccurate, and are causing real problems for genuine ISPs, and countless people.

7 days ago the hosting company I work for found a client who’s site had been hacked. It was quite nasty, and a perl script was pumping out spam at a pace. Within an hour or so, we had tracked it down and got it shut down. Too late. We had appeared on a couple of blacklists, including spamhause and spamcop, and SORBS (just 46 hits).

Within a few hours, the world recognised that we had stemmed the problem, and all was fine again… or was it…

SORBS still listed us. We tried to remove ourselves. SORBS  has to be THE worst system I’ve ever used, ever. And I’ve used some pretty bad systems. If you’re going to allow companies to use your data to make decisions about whether or not to deliver email you at least owe it to run a service that isn’t completely broken. 

Let me give you concrete examples:

We couldn’t remember the password on an old account. Our fault, but not an uncommon issue, a quick password reset should do it right? The system wouldn’t let us reset it.

So, we created a new account. The confirmation email never arrived, I don’t think it was dispatched.

We attempted on 5 different occasions over a 3 day period to request a reset.

The system would take ages to deliver a message of the format;

“Confirmation email resent to: <BLANKNESS>”

Notice the blankness, it’s like the DB had timed out and it hadn’t got the value, or didn’t know it?!

o.k, this is ridiculous, I need support. But wait! You need an account! How delightful! I’m stuck in a catch 22.

We tried the “Talkback to SORBS” – but this throws a database correction error, and has done for the last week. Why bother having the link there if you’re not going to run it?

In the end we managed to find our old username/password otherwise we would have had to have waited however many days for the old account that you couldn’t confirm to drop off the system so that we could try again, naturally with little chance it’d actually work.

We loogged in, started the delisting process to be told I don’t have access to perform a delisting?! Having jumped through all these hoops, the SSL crap, the gammy signup, the slowness/timeouts, the broken links, now having authenticated with this steaming POS we don’t have the authority?!

It’s not like we are a tinpot organisation, RIPE can verify that a pretty sizeable IP block belongs to us.

Tags: ,

5 Responses to “SORBS SUCKS”