SORBS.NET

SORBS (aka dnsbl.sorbs.net, SORBS) is a fake blacklist started by Matthew Sullivan in the fall of 2002, after ORBS was closed by court order.

2009: Matthew has changed his name to Michelle, according to his (her?) Linked-in profile

SORBS seems to have started around 2002, just after ORBS was shutdown, with a SourceForge project to implement an open relay scanning tool. The scanning tool doesn't seem to have been very successful. It is remarkable only as an example of bad programming.

SORBS is somewhat unique in that it extorts money from victims and subscribers. Subscribers are few and far between. SORBS has blacklisted the entire IP address space used by Av8 Internet, approximately 67,000 IP addresses, since May 2003, falsely claiming the IP addresses are somehow stolen. . Only a few dozen sites have been found to use SORBS. They don't use SORBS long.

SORBS is very similar to ORBS.ORG. ORBS was a fake blacklist run by Alan Brown. ORBS was shutdown after losing 2 defamation suits involving making false statements about ISPs that Brown didn't like(Actrix, Xtra). Brown was also found guilty in a third defamation suit (Domainz). This makes Brown a 3-time court-proven, habitual liar, who is also associated SORBS.

Some complaints by new SORBS users

If you are a SORBS Victim

Do not bother contacting SORBS. Contact the blacklist user by some other means, and ask them not to use SORBS. Have them review the claims for 130.105/16 and 198.3.136/21. Even if you are not an Av8 Internet customer, this listing demonstrates the disreputable character of SORBS and Sullivan well beyond what written history can do.

See Laws

History of Conflict with Av8 Internet, Inc

The story begins when Dean Anderson revealed that Alan Brown of ORBS was involved with conducting abuse of open relays. Av8 Internet and its predecessor has operated protected open relays since 1996, and no commercial bulk emailer has ever attempted to abuse its relays.

On March 28, 2003, Alan Brown, sent email to the SPAM-L list claiming that 130.105/16 and two other blocks were "stolen" March 28, 2003. There is no support for this claim. This first claim was ignored. Brown's second claim on May 15, 2003, was apparently picked up by SORBS operator Mathew Sullivan. According to SORBS records, on May 21, SORBS operator Mathew Sullivan began listing the blocks as "Hijacked/Zombie".

The Original Listing

http://www.dnsbl.sorbs.net/cgi-bin/lookup?IP=130.105.0.0

> The full listing is:
>
> Netblock 130.105.0.0 / 16
> Summary The OSF doesn't exist anymore, making this hijacked.
> Announced By [1784] Global NAPs Networks
> Entry Created Wed May 21 11:51:29 2003 AEST
> Record Updated Wed May 21 11:52:38 2003 AEST
> Currently active and flagged to be published in DNS
> Spam has not been received from this netblock.

The other blocks are 198.3.136/21 and 199.172.128/21. 198.3.136/21 is directly assigned to Av8 Internet, Inc. The other block, 199.172.128/21 was assigned by UUnet in 1994. More on that below.

To give you some idea of how little-used SORBS is/was this block was not noticed for over a month. In June, 2003, shortly after a Nanog meeting, we were contacted by a UUnet Admin demanding we return some IP Address space.

If you are not already familar with how IP address space is hijacked, you should review How IP addresses are hijacked

Veracity of The UUNET Block (199.172.128/21) Claim

Sullivan cites this incident as 'evidence'. The incident is only evidence of successful deception of ISP administrators by Sullivan.

Predecessors of Av8 Internet obtained Internet Connection to UUnet in 1993. Av8 terminated this UUnet connection in 2001 and was not due under UUnet's policy to return the UUnet IP space until Feburary 2004. After creating false entries May 21st, Sullivan tricked a UUnet Operations Group staff member Chris Morrow in inappropriately demanding return.on June 1st, 2003. Morrow was unaware that Av8 Internet was previously a UUnet customer and unaware of the proper return date for the IP Address space, as well as other issues. Morrow was misled by Sullivan. UUnet Operations Group operates the network equipment. Another group handles provisioning. This incident with UUnet demonstrates the intent to interfere in the business operations of Av8 Internet. Chris Morrow was misled, and the incident unnecessarilly harmed Av8 Internet operations, as Sullivan and Brown intended.

Veracity of the 130.105/16 Claim

The OSF does exist and simply surfing to www.osf.org takes one to www.opengroup.org. Plainly, if the OSF has never gone out of business, its address space is not hijacked. Even after learning that the OSF exists, Sullivan wants to know the details of the relationship between OSF/TOG and Av8 Internet. Sullivan is not entitled to this information, and by law it cannot be provided to him by Av8 Internet, beyond acknowledging that OSF/TOG is a customer of Av8 Internet.

The American Registry of Internet Numbers (ARIN) is the authority for the registration of this block. ARIN records Dean Anderson of AV8 Internet as the proper technical contact for this block.

Veracity of the 198.3.136/21 Claim

This block was permanently transferred by UUnet to a predecessor of Av8 Internet in 1993, which was common practice before Classless Inter-Domain Routing(CIDR) was introduced in 1994. It is recorded by the American Registry of Internet Numbers (ARIN) as being directly assigned to Av8 Internet . This space is plainly not hijacked.

ARIN is also the authority holding the registration records of this block. ARIN records the block as being assigned directly to Av8 Internet, and records Dean Anderson of Av8 Internet as the proper technical contact for this block.

Response by Av8 Internet

A complaint was made to XO Communications (hosting www.sorbs.net and www.isux.com). Sullivan also threatened to "mailbomb" on www.isux.com. See more about mailbombing. Mailbombers are spammers. They just aren't in it for the money. Or possibly they are. SORBS asks for donations from victims to get delisted, and also seeks donations from Subscribers. It is very unusual for blacklists to extort money from victims. Extortion is not so unusual, but usually not so overt.

Sullivan responded at 8:32 EST June 12, 2003. Later that day, a defamatory and nutty letter was emailed to The Open Group by Kai Schlicting.

Then, the listing was changed to:

  Netblock:130.105.0.0/16 (130.105.0.0-130.105.255.255)
  Record Created:Wed May 21 01:51:29 2003 GMT
  Record Updated:Sat Jun 14 23:46:50 2003 GMT
  Additional Information:Waiting for response from The Open Group - still suspected 
  and therefore listed.

Note that this "still suspected" assertion is almost identical to the false spam claims made by Alan Brown against ISPs he didn't like. As Brown learned, one is required by defamation law to make statements that are true. However, a problem exists that if we sue SORBS, then like ORBS, it will just close and pop up somewhere else. A rather expensive "whackamole" problem. Sullivan has challenged Av8 to sue him, and says he has no assets to pay damages.

Sullivan has later claimed (below) that Schlicting has nothing to do with SORBS, but the OSF has not been contacted by anyone else. Sullivan also claims that Brown has nothing to do with SORBS, but the claims come from Brown, and the wording and claims in the original block comes from Brown's message.

It is interesting that SORBS also blocks 198.3.136/21 even though that block is assigned directly to Av8 Internet. The whole "story" about needing "proof" is just a lie. 

  Netblock:198.3.136.0/21 (198.3.136.0-198.3.143.255)
  Record Created:Wed May 21 01:59:07 2003 GMT
  Record Updated:Fri Jun 13 23:24:45 2003 GMT
  Additional Information:More of Dean Anderson's Netblocks also appears to be hijacked.

 

More emails

Particularly interesting are the emails of June 2003, where

  1. Sullivan tries to weasel out of the XO complaint by claiming the www.sorbs.net and dnsbl.sorbs.net are different.
  2. Sullivan claims that "SORBS is however a non-profit company with no assets, no income and no debts, if you get your lawyers to do their home work, you can easily find out it's details."
  3. Sullivan "tires" of the discussion, says this discussion is "frivolous banter" and "spam", and threatens to block all further email.

SORBS Information Scam/Identity Theft

SORBS seems to be collecting a lot of sensitive information, just to view listings: 
Name:
Preferred Login ID:
Password:
Confirm Password:
Home Phone:
Business Phone:
Mobile Phone:
Email Address:
Company:
Autonomous Systems Number:
Security Question:
Security Answer:
Skill Level: None, I can play games though.
A little, just use them for email.
Average, familiar with them, used at home and work.
A lot, sysadmin or MCSE etc.
My Name is Charles Babbage, or Alan Turing.
Address:
Address:
Town/City:
State/County:
Zipcode/Postcode:
Country:

This detailed information could be sold to IT recruiters, used for identity theft, password collection, or used for other mass marketing purposes. Security questions are often used by sensitive sites such as domain registries to authenticate users who have lost their passwords. This is very alarming information collection.

Note: SORBS seems to have stopped asking for this information to view listing, as of a check made in May 2007.

Extortion/Money Scheme

SORBS has begun to demand money from victims as well as users. More on this as it comes in.

Current Contacts

The current state of affairs can be seen by comments on this email from Sullivan: (comments are in italics)

  Date: Wed, 30 Mar 2005 10:20:34 +1000
  From: Matthew Sullivan <matthew@sorbs.net>
  To: nanog@merit.edu<
  Subject: FYI/OT: AV8 zombie listing in SORBS & the rantings of Dean A 
  
  Dean Anderson wrote:
  >Hi folks. A few points about Sorbs (I've also started a web site
  >www.iadl.org to track abuse of the internet for defamation purposes. The
  >web site isn't finished, yet.)
  >
  >1) Someone said Sorbs is just Matthew Sullivan.
  >
  >Well, _Sullivan_ said it isn't just him. Yeah, sure, that has
  >credibilty...
  >
  >However, my own experience with Sorbs has revealed that it is also Alan
  >Brown (formerly of ORBS) and Kai Schlicting. We all remember Alan from the 
  >ORBS shutdown, I hope. Alan was found by three courts in separate cases to 
  >be defaming people (two by using a blacklist). 
  >
  > 
  >
  Dean, this is so far off topic its not funny. I am not going to discuss 
  this further on NANOG, should you wish to discuss it you are welcome to 
  join dnsbl-users@sorbs.net and make your case there (as anyone 
  interested is welcome to subscribe and take a look).
Anderson and others have tried discussing things with the script kiddies on spam-l. Anderson has tried with Steve Sobol's FREE list. That's fairly useless. Script kiddies have no interest in truth or facts. They are never wrong. And if any start to come around, the discussion is quickly ended.

  My information is that you did not apply for the address space in 
  question for AV8, and that you took the address space from your former 
  employers when you left by virtue of being the admin and technical 
  contact for the netspace.
The 130.105/16 space, as of March 2005, belongs to the Open Software Foundation, aka The Open Group. There is no reason for AV8 to "apply for it". But note the similarity with Kai Schlicting's nutty assertion that somehow OSF/TOG can't let AV8 use it. The 198.3.136/21 space is directly assigned to Av8 Internet, and was transferred in accordance with ARIN documentation requirements.

  That information has come from multiple reputable sources.
Apparently not very reputable. But more importantly, it did not come from the authortative sources: The Open Group, and did not come from ARIN. They are the only authoritative sources. No one else is authorized. So Sullivan is a liar, as are his "sources", if indeed, he has sources other than Alan Brown.

  I have repeatedly asked you for proof that you are the rightful owner of the 
  netspace, and am still waiting for that proof
Sullivan has repeatedly been told to look at the ARIN record: The rightful owner for 130.105/16 is the Open Software Foundation, aka The Open Group, as listed on the ARIN registration. Dean Anderson has never said he is the owner. Anderson is the authorized contact. He is authorized by The Open Group to use the space. The rightful owner of 198.3.136/21 is Av8 Internet. Like everyone else, you can check ARIN, which is the authoritative Regional Address Registry(RAR).


  - I'll be happy to delist any Zombie/Hijacked listings as soon as the 
  rightful owners have the netspace in their possession and where they 
  think they are the rightful owners and the information suggests 
  otherwise (your case), a small piece of evidence is required for the 
  delisting (eg a copy of a letter from the OSF stating that they gave you 
  the netspace as a leaving 'present')
There is no information that "suggests otherwise". An outright lie by Sullivan. There is no need for anyone to provide a letter to SORBS. This is a fallacy that is known as a "false authority", and SORBS uses many of the fallacies associated with false authority. This is yet another attempt at "social engineering" information that is irrelevant to the question of "ownership" or hijacking. 

.... and some facts that you seem to be lacking:
Anderson is the assigned contact for the address space. OSF still exists and does business as The Open Group. Anyone can browse to http://www.osf.org or http://www.opengroup.org. Sullivan, like Alan Brown in his three lawsuits, is lacking "an honestly held belief". It is interesting that Sullivan defends himself as having an "opinion". Most people speak the truth, and defend themselves from defamation by claiming truth as a absolute defense. 

  SORBS was created by me and I along with 18 other volunteers run it.
Funny that no one else seems to talk about their participation. I participate in organizations, and I talk about that participation. Funny that no one seems to talk much about associating with SORBS, except as a misled user. Actually, I note that Paul Vixie of ISC.ORG is associated with SORBS. 

  Neither Alan nor Kia have anything to do with SORBS (neither past or present).
Brown originated the claims on spam-l http://www.iadl.org/ab/AB-defame0.html in March 2003.

Kai contacted The Open Group http://www.iadl.org/ks/tog-defame.html hours after Sullivan responded to the first complaint. No one else has made any contact.

  My sites have not been, nor have ever been, booted from XO netspace (ns1.sorbs.net 
  and http://www.isux.com/ ).
Shortly after this complaint, sorbs.net was moved off of XO to ISC.ORG, and www.isux.com was simply shut down. As of 3/31/2005:

         www.isux.com. 3600 IN CNAME vortex.isux.com.
         vortex.isux.com. 3600 IN A 209.220.100.157
The IP address belongs to XO, but no response is found on port 80. 

  I have never been a student of The University of Queensland.

This may be true. Presently, UQ has a search engine which lists Sullivan as a member of its IT staff.

  Regards,
  
  Matthew
  
  PS: If you reply in NANOG, don't expect a reply from me this is OFF TOPIC!

Abusive blacklists are a frequent topic of NANOG. In particular, SORBS abuse has been discussed several times on NANOG. Sullivan posts frequently on blacklist issues.