Are you having email problems this morning? If you are getting bounce backs referencing SORBS, read on my friend. It appears that the Real Time Blacklist (RBL) SORBS made a critical error yesterday that is causing almost all email users havoc. (Internet Storm Center) Sometime yesterday, the SORBS anti-spam blacklist (their site is currently suffering from it’s popularity today) accidentally updated their databases to include an enormous number of the Internet’s mail servers and networks. This appears to have included IP addresses owned by Amazon, Google, Rackspace, and others were included in this blacklist and marked as unacceptable for email. (uTest)
If your mail server IP is listed within those IP ranges, then you more than likely won’t be able to send emails today to most anyone using the SORBS blacklist. On the flip side, if your mail server subscribes to the SORBS list, you may want to temporarily disable that setting until this issue is resolved.
RBLs like SORBS were originally created to help reduce the amount of email spam sent and received around the world. Typically a spammer will send their emails from one or two mail servers. If the spammers server can be located then the IP can be put into a “blacklist” of known spammers. Those blacklists are compiled and shared by independent groups, like SORBS.
Many ISPs, email providers and IT administrators will check these blacklists when they receive a piece of email. If that email came from a known spam server email will be rejected entirely. However, relying on any single source or RBL to block spam is not a best practice when the RBL is corrupted.
This can cause serious outcry, i.e. on Twitter.
For information about other Blacklists that have shut down or Blacklists that are having problems, view this forum post.
We have been alerted that multiple zero hour viruses are passing through the Postini filters. Postini has issued an alert that they are updating the Virus filtering to address the latest variant of this attack. However, while Postini continues to make changes to their filtering to adapt to this new threat we are recommending to our customers that they can temporarily block .zip attachments. Please note that this would block ALL messages that have a .zip attachment and would place the message in the users Postini Quarantine.
To enable this filter, follow these steps:
- Access the User Level of your Organization
- Select Attachment Manager under Inbound Services
- Select Edit and turn the Filter ON and we would recommend checking the box for ‘Allow all email from Approved Senders’ as well.
- If you have more than one sub-org we would recommend checking the box for ‘Apply these settings and filters settings to existing sub-orgs’.
- After enabling the filter you need to configure it to quarantine .zip attachments.
- Select Filters and under Custom File Types add .zip next to User Quarantine
- Click Save and the filter is applied. Now any message with a .zip attachment will be placed in the user’s Quarantine.
If you would like to stay updated on this issue we would recommend checking the Current Issues page for Postini Services at http://www.google.com/support/appsecurity/bin/static.py?page=known_issues.cs .
I have added some additional information to the SMTP Diagnostic test tool so that we can better troubleshoot Server Down alerts when customers are puzzled because they saw no outage.
I have added the full SMTP transaction transcripts to the SMTP Diag Alert emails. I also configured it to include the actual timeouts for “Timeout occurred due to inactivity” alerts which are what cause the SMTP Diag Failed emails.
Remember that just because we issue a SMTP failed does not mean that they were down or offline, just that they were unable to respond to our connection request within 15 seconds. They should have our testing networks whitelisted on their Firewalls and SMTP Defense mechanisms.
Product Development Engineer
Update 8/5/2010 11:55 CDT:We have made additional changes to the SMTP Monitoring code to try to alleviate the lingering false Down alerts. Please continue to give us feedback if you continue to experience them.