Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free! blacklisting all IP addresses

Published: 2008-03-26
Last Updated: 2008-03-26 17:22:35 UTC
by Raul Siles (Version: 1)
0 comment(s)

Since yesterday, March 25 (I started to see it around 8:00am EST), - one of the old SPAM blacklist databases - started to blacklist (or block ;)) all IP addresses. As a result, all mail servers using an SPAM filtering solution that still references ORDB ( started to immediately block all incoming e-mails. I got some reports into my personal e-mail yesterday, that finally got fixed by my provider today.

Although was shut down on December 18, 2006, yesterday they changed their behaviour, and instead of timing out, they are blocking all IP addresses, that is, every e-mail server queried is being reported as an open relay. If your mail infrastructure uses ORDB, the sender will get a message like this one (this is an example blacklisting the Gmail servers):

Technical details of permanent failure:
PERM_FAILURE: SMTP Error (state 13): 550-Message rejected because []:20081 is
550-blacklisted at see was shut down on December 18,
550 2006. Please remove from your mailserver.

E-mail administrators (if you have not been notified yet by users not getting a single e-mail during the last 24 hours), please, check that your SPAM filtering solution is not querying ORDB!

(...and there are lots of them using ORDB by default)

The real reason behind this active behaviour change is not clear yet.
Raul Siles

Keywords: ORDB spam
0 comment(s)
Diary Archives