The curious case of Spamhaus, a port scanning scandal, and an apparent U-turn In recent months, several security researchers have said Spamhaus has been automatically blocking people for carrying out legitimate network port scanning and failed to provide a prompt means of redress. Spamhaus, a non-profit provider of blocklists and cyber-threat detection, insists nothing like that has happened at all. " …
By banning the IP address, once the scammers know it's happened they will simply change addresses, I'd think. So what happens when the ISP re-assigns the IP address? Or in some cases like where I am, the IP address isn't static. We get a new one every view months.
Or maybe I missed something here....
Good networks can kick off abusers in a few hours or less, so they're not much use for criminals. Criminals typically use networks that have chronically poor security, slow responses, or doesn't even have a means to report abuse. Good blacklists target these ranges of IP addresses where there's always a high level of abuse activity.
Now for the complicated part - Criminals and pro-criminal hosting engage in legal and technical attacks against blacklist maintainers. Endless lawsuits, hiring DDoS attacks, PR smears, attempting to poison blacklists, or games rotating IP addresses to maximize false positives and negatives. Over time, blacklist maintainers start to wear out and the quality of the service may decline.
"Criminals and pro-criminal hosting engage in legal and technical attacks against blacklist maintainers."
And this happens a lot more than you may think. Think "Userfriendly" and "Steph" - at least one set of legal (and media) actions has been launched by company MARKETING departments, rather than actually deal with their abuse-friendly policies.
re: "the quality of the service may decline"
It depends on which side of the equation you're on as to whether this is a good thing or a bad thing.
A properly-implemented scanner will syn-synack-rst an open port because only the ignorant perform half-open(then abandon) scans. The reason is, if enough 'security companies' perform half-open scans, no legitimate user will be able to connect because all of the available ports will be in the SYNACK state waiting for the next packet until the tcp timeout. Inn Yee Olden Dayes (the 1980's) this wasn't a problem because 1/2 of the internet could connect to dockmaster.navy.mil and it would still have had available capacity to service actual users, but today, when every jerk and her brother are security researchers, this is no longer the case. This isn't a simple problem to solve. If Spamhaus whitelist's an ip address and that address isn't a major company's email gateway, then the miscreants themselves will either block it or (more probably) lie to it.
"Where that to be true, it should logically follow that there should be at least some internet users out there complaining of getting listed by us due to their IPs being spoofed by some rogue third party. We are not aware of any."
I'm not sure that means anything. Every so often my public-facing IP gets on the Spamhaus blacklist (admittedly, this hasn't happened in a few years) for no discernible reason. Contacting them about it had always been useless, so I changed my policy to avoidance. Rather than contacting them, I just arranged to have a different public-facing IP.
That's a real hassle, though, so I'm very glad that this hasn't happened in so long. Maybe Spamhaus fixed something broken, maybe they didn't, I have no way of knowing. But I do know that the bad taste in my mouth about them remains, probably forever.
@JohnFen & "Maybe Spamhaus fixed something broken"
or perhaps whatever was being done from your IP to get you blocked has stopped, you finally implemented security or got rid of someone for instance?
They tend not to ban without cause so you being repeatedly banned suggests, to me, that something was not right at your end
I can't find any reference to it - can you please report relevant information?
Anyway, any "legit" IP can be blocked if someone abuses it - once we got blocked by Google when a rogue employee decided to use the company network for a "mailing list" of his....
"or perhaps whatever was being done from your IP to get you blocked has stopped"
That's possible, but I keep a pretty close eye on what happens on my systems. If there was actual nefarious activity coming from my systems, it would have been VERY helpful if Spamhaus was willing to tell me what the issue was so I could address it.
Aside from one communication (which was very rude and unhelpful), what I got from them was radio silence. That doesn't do anybody any good, and is why I don't view them in a terribly positive light.
it would have been VERY helpful if Spamhaus was willing to tell me what the issue was
Oh yes, I got that too.. Mainly 'radio silence' but I also recall either something about it being a 'privacy issue' or a 'security issue' for them to let us know what it was they thought was wrong.
Security issue like.... I could fix my system and reduce their numbers a little.
Our company's mail used to be partially hosted by NetSol and at that time, i learned, they'd been on spamhaus' blacklist for qutie some time because the RFC's said one thing and NetSol's engineers said something else, so SpamHaus blacklisted them (and incidentally, us.) When I reported the problem to NetSol, the referred me to SpamHaus. When I reported the problem to SpamHaus, the referred me to NetSol along with the list of RFC's that NetSol was violating. After reading the RFC's and agreeing with SpamHaus, I disabled the SpamHaus blocklist on my mail server so that I the two parts of our company could email each other...
@JohnFen: Every so often my public-facing IP gets on the Spamhaus blacklist (admittedly, this hasn't happened in a few years) for no discernible reason.
Perhaps you have an open wireless access point that is allowing someone (maybe neighbors or some random person) to do attempted hacking. I have *never* had a public IP show up on any Spamhaus blacklist.
But I do know that the bad taste in my mouth about them remains, probably forever.
The same. For a long time (and maybe even still today), anyone setting up a mail service through any of the ISP's now run by Vodafone NZ would have HUGE hurdles to get off SH's blocklist. They didn't block individual IPs, they blocked entire service providers.
They are scum. A law unto themselves, and an absolute nightmare to deal with.
We especially loved it when, as a computer repair/web design/server building etc firm, SH actually challenged us as to why we would want to be running our own email server - they had us marked as spammers because of the ISP we were initially with.
Later, when we changed ISP to get around this, we were "spammers" because our IP had previously been blacklisted.
That was some time back, but it doesn't sound like they have improved much. Perhaps their victims can start taking them to court.. Set one set of self-serving scumbags onto another lot of self-service scumbags, wait for the smoke to settle and hope the courts produce some common sense for a nice change.
Hell, I used to block all of the USSR, China, and all of South America, quite some time ago. For the damn good reason that 100% of the traffic from those locations was malicious.
By the way, I'd like to hear your version of "...hope the courts produce some common sense for a nice change."
Hell, I used to block all of the USSR, China, and all of South America, quite some time ago. For the damn good reason that 100% of the traffic from those locations was malicious.
Some people trade with those countries. Much of what you use today comes from at least one of them (sadly - quite a fan of local manufacturing)
By the way, I'd like to hear your version of "...hope the courts produce some common sense for a nice change."
Justice. You know, where the ones who did the crime do the time and the ones who are victims get compensated[1], not where the ones tho can buy the priciest lawyer win and the lawyers (and sometimes judges) get richer.
[1] Or vindicated. Or their story told. Or...... Sometimes a sincere apology and recognition that wrong was done is enough - but often too much to ask for in these cases. Scamhaus will never admit to wrongdoing, never admit they harm people, never admit they're often more damaging to businesses than the stuff they claim to protect you from.
Of course they can do whatever they please. Blacklists are used or not used according to how well they serve a purpose. Nobody is forcing anyone to use any blacklist.
I use Spamhaus at the moment but it's catching virtually nothing these days. I have my own blacklist that's much more strict: Any network that doesn't have a working abuse contact is entirely banned (CNNIC, Vodafone, DigitalOcean, etc.). Any network that allows abuse from "big names" is banned (SendGrid, Oracle, Amazon, C7, Nobis, etc.). Any network that is chronically hacked is banned (Yahoo, all of Taiwan, OVH, VNPT, etc.).
@Kevin McMurtrie - "Nobody is forcing anyone to use any blacklist."
Well, most users are unaware of what blacklists their ISP or IT team is using. Most ISPs would refuse to give details to ordinary customers because of "security". Maybe the customers would approve, but it isn't fully-informed consent.
Whilst it would be lovely to go down the route of banning entire networks and providers that I don't like, my users are a bit insistent that when we get business emails from somebody that happens to have a Yahoo address that we receive them. Especially when it involves them handing us lots of cash.
"I use Spamhaus at the moment but it's catching virtually nothing these days. "
Way back when, that was why other blacklists started popping up.
When they got "too effective" is when they started getting heavily targetted by abuse-friendly networks for affecting their bottom lines. Burnout becomes a major issue when faced with those kinds of attacks and that has a lot to do with the high turnover of lists
If Spamhaus lists something(*) there's invariably a bloody good reason for it and when the whiners start actually giving out the affected IPs(**) you'll usually find 20 or 30 people popping up with their own evidence of abuse - or you'll find that the whiner in question is trying to send mail from dialup/DSL enduser IPs and being smacked down by someone who refuses to accept mail from such hosts. There's a lot of cases of throwing shit at a wall and hoping it'll stick.
(*) - Spamhaus entries are always listed along with the evidence trail.
- There are multiple lists, comprising various classes of problem.
- Spamhaus LISTS suspect IPs. It's up to admins to make the final decision. Private property rights and all that guff - attempting to force a network to accept connections from any other network is an extremely dangerous path to go down and can backfire spectacularly on the litigant.
(**) - Complainants seldom if ever disclose their IPs, or their background.
- Fatuous accusations of "Waaaaah!!! Spamhaus blocked me. My Frea Speach is being oppressed" without any actual backup are commonplace. (see point 2 above).
- In virtually all such cases it's because the whiner is attempting to send mail from a designated enduser IP (DSL or dialup) and the receiving side says NO. Most of the rest are customers of egrariously spam-friendly ISPs (such as certain Ukranian/Russian/Chinese networks).
or you'll find that the whiner in question is trying to send mail from dialup/DSL enduser IPs and being smacked down by someone who refuses to accept mail from such hosts
If, as a business OR a home user, I wish to build my own mail server, who gives some self-appointed people who are in another country the right to decide whether or not MY business is allowed to perform LEGITIMATE and LEGAL functions as I wish to run them?
What gives SH the right to decide whether or not my company's functions are legitimate based solely on my choice (or otherwise) or ISP?
Not every one has 50,000 ISP's to choose from.
If Spamhaus lists something(*) there's invariably a bloody good reason for it
Absolutely. In the case of my individual home IP addy, the reason is that I sent one email from a yahoo-hosted account to a fellow of mine who works at the local hospital ("protected" by SpamHaus) to refer a patient.
There is a reason. It's just absolutely idotic.
Spamhaus are worst than Equifax, because the methods are the same but their reach is far wider and they are more moronically entrenched in their sense of self-righteousness.
If Spamhaus lists something(*) there's invariably a bloody good reason for itAbsolutely. In the case of my individual home IP addy, the reason is that I sent one email from a yahoo-hosted account to a fellow of mine who works at the local hospital ("protected" by SpamHaus) to refer a patient.
The most common one I saw (where I was directly involved) was "new business under newly registered domain". So if a business wants to use "personsname@hotmail.com" they're perfectly trustworthy and we should do business with them, but if they wish to use "person@newitbusiness.com" then we must not ever trust them as an IT business because they're obviously scammers and could not possibly be someone who wants to do things right from the outset.
Because many of the larger ISPs use scamhaus and their ilk (well, actually it was only SH who messed with legitimate businesses), our customers would not receive emails from us because we constantly wound up on their blacklists. Our emails were either in response to customer queries (so a potential customer sent us an email and we replied) or in some cases us contacting the likes of Dell to arrange to be their customers - ie our only "unsolicited" emails were legitimate business emails to potential partners who actually sought such emails anyway so they weren't "unsolicited" even though they were commercial.
So SH acted to block legitimate and perfectly legal national and international commercial communications.
One poor person I know of was blocked for such a problem as yours. They were with the NZ ISP "Spark" (then known as "Telecom") who had contracted their email out to Yahoo. Because of Yahoo's reputation with SH, sending emails between him and his wife (at home or via the home email address) or sending business emails from his home IP (ie sending to the IMAP mail server of his business (NOT with Telecom) and the server sending the email on with his originating IP in the headers) could earn his business a blacklisting.
It often took little to get blacklisted, and often for stupid or trivial things such as receiving a message from the wrong ISP or the heinous crime of starting a new business and using the business domain for email (why oh why would any person starting an IT or tech business EVER want to use their business name in emails instead of person@hotmail/citizen@gmail etc etc?).
I'd support SH if they were a lot more careful about who they blacklisted and made it quicker and easier to get people of their lists, but (unless they've changed) they act in a way that causes a lot of pain to legitimate business owners and legitimate email users while marketing themselves as being something great. I wonder how many startups failed because of scumhaus's practice of blacklisting new firms, meaning these firms could never respond to legitimate queries from potential customers?
I appreciate the lack of spam, but the human toll of their over-acting has no doubt been much higher than the value we get. It would be lovely if these people could be brought to justice. After the pain of people dealing with them, they deserve to be sharing a cell with the worst scammers and spammers out there.
> The most common one I saw (where I was directly involved) was "new business under newly registered domain".
That's the Spamhaus NBUNRD blocklist, I've heard of it. What they have is a list of all of the businesses in the world and when one registers a new domain an alarm goes off at Spamhaus and they immediately put the new domain on their NBUNRD-BL. Nobody knows how they get their list of the world's businesses or how they know when someone is starting a new one but there's speculation that they're funded by Hotmail and Gmail and it's a conspiracy to force businesses to keep using Hotmail and Gmail addresses.
Don't get me even started on the Spamhaus FLAT-BL that blocks anyone who gets close to discovering the earth is flat.
Nobody knows how they get their list of the world's businesses or how they know when someone is starting a new one
Oh, that's pretty easy for anyone who has any knowledge of domain registrations. Just look up the date the domain was first registered. Examples :
El Reg was registered before Aug 1996 (according to Nominet), has a current 2 year registration, and that was last updated on 13th March 2018.
Microsoft has a 7 year record expiring in 2021. They were first registered in 1991.
IBM.COM are clearly spammers, as they have 1 year from their last 'update' to the end of their registration (according to the Corporation Service Company) - a one-year registration is after all one of the metrics that SH uses. ibm.com was first registered in 1986 though, so even though they may only register for a year at a time (not a given since the 'update' could've been a change of name server or other records) they have been around a little while.
So the information is a mere 6 characers (plus domain name) away. Easy to achieve.
I'm shocked. They must have been sitting there waiting for you and the moment you pressed that send button one Spamhaus guy said to the other Hey this dude is not on our Authorized To Refer Hospital Patients From Yahoo list. By any chance do you still have the reject message from that? That would be very interesting to see.
They must have been sitting there waiting for you
The great thing about over-automation is that noone has to be sitting there at all. The automated system sees a direct-to-mx from a yahoo account to one of their customers, blam, IP blocked.
The main metric used by SpamHaus and their ilk to market their lists is the percentage of blocked inbound mails. A blocklists that blocks 86 % of inbound mails is marketted as better than a one blocking "only" 85 % of inbound mails, regardless of false positives. False negatives are visible to the client (the receiver, who pays SH) so they MUST not have them, but false positives are only visible by the sender, who may not be a client and may not have an alternative way of contacting the receiver to report abusive blocks by SH, so who cares ? I actually suspect that SpamHaus clients are automatically added to a do-not-block list, too, even if they deny maintaining such a list.
By any chance do you still have the reject message from that? That would be very interesting to see.
No, I don't. I tend not not collect trash for the fun of it. I have no doubt that you would be very interested in a free audit of your broken model. I -and many here, I suspect- can provide test cases, logs and stats from a variety of systems both senders and receivers. At a price.
Anyway, as anyone even vaguely familiar with the matter might tell you, the "reject message" would be of no interest at all since it's configured by the receiver. Unless you're trying to pinpoint which of your clients let slip that you are the cause of an abusive block, with potentially disastrous consequences. I understand that it would be damaging for your extortion-based business model. In my case the message was something about my IP being listed in some SpamHaus blocklist. It wasn't even in any of the many, many, many languages easily understood by "worldwide" SH operatives, like US English, US Ingrish or US English_Indian -optionnally US English_Boston_Litterary, US English_Southern_States or US English_Midwest but these may carry a surcharge. (none of them a problem for me, but still a concern).
"If I catch someone is in my backyard checking to see if the windows and doors are locked"
The SYN scanning being discussed is not so much checking to see if the windows and doors are locked (since the scanning is not attempting to set up a connection), but more like just counting how many doors and windows you have.
You may well object to that as well, and I understand if you do, but it's not as bad as your analogy implies.
and I understand if you do, but it's not as bad as your analogy implies.
I am off the beaten path so anyone counting my doors or windows that is not the local government is most likely doing so with intent to break in. You have to trespass in order to count my windows. SYN scanning while might not be as bad as you think, I do firewall security work and someone checking just to see how many windows I have have and will get the cops called on them.
If you accidentally start up a port scan, then stop it as soon as you realize. If it continues, then it IS malicious. If you look at it from the firewall's point of view, there is no way to tell a difference between a SYN can and a hacker who is trying to use that same SYN scan to see what I have.
"If you look at it from the firewall's point of view, there is no way to tell a difference between a SYN can and a hacker who is trying to use that same SYN scan to see what I have."
But you can detect and prevent actual attempts at breaking in.
I'm with you in terms of your security stance, by the way. My own home network detects port scans and locally blacklists IP addresses that engage in it. That said, I disagree that port scanning is analogous to trespassing, and I disagree that port scanning is, in itself, a nefarious activity. It can certainly be a prelude to nefarious activity, though!
@JohnFen, I am paying for bandwidth and I want to make the best use of it, having to carry unwanted traffic is a cost to me when I get close to the cap and just in delays to legitiamate traffic.
As to your home network, you are still paying your ISP to carry the bad traffic to your home even if it gets blocked at the router, I presume your ISP also does some spam blocking which I presume you do not have problems with.
If you were a major company then you would have the blocking on your domain host so you could get the most out of what you have paid for in traffic, security and reduced employee time wasted with spam.
It is not fair but the days of random IPs being as trusted as registered domains are gone due to exactly the behaviour that spamhous are targetting, many of which were set up with open email relays for example. If you want to be trusted for your own actions then you need to have an IP that has not been abused and that means static, if you add in a full domain then notification of any problem will go to your abuse@mydomain rather than you having to chase them.
If I catch someone is in my backyard checking to see if the windows and doors are locked, I'm not buying them a drink. Spamhaus can and should be allowed to do what they'd please.
Spamhaus's people should be given life sentences for messing with other people's legitimate business, preventing people from trading with each other, and causing a number of people untold grief simply because SH are abusive scum on a power trip.
If they truely have a good reason to scan then why are they not asking permission first?
GRC.COM for example do port scanning but I have not heard of them being upon anyone's block list, I would suggest because you have to ask them to scan you rather than getting bored finding your IP along with thousands of others in daily firewall logs.
Just because it is not illegal (vested interests cough google cough) doesn't mean it is not a nuisance, personally I agree with Spamhaus
If they truely have a good reason to scan then why are they not asking permission first?
Now hang on, this is how I have been working with respect to my local network for over two decades. Malicious is the person not asking, and friendly is the person asking. It is really not that hard people!
Indeed. I was under the impression that a port scan on a target that had not granted permission would be the sort of activity that could be construed as on the borderline of hacking.
I'll take care of my ports and you take care of yours. Keep your damn nose out!
Whilst the Spamhaus approach may be a rather blunt instrument, any security researcher who scans address ranges that belong to someone else without prior permission may well find their subnets on someone's shitlist, simply because the effect of their scanning may make them indistinguishable from those with malicious intent. It may or may not be legal to conduct such scans or even to have the necessary tools (depending on the jurisdiction) but it is also legal for those who have been scanned to block scanning IPs from their networks.
"The damage caused by each side to the other is grossly disproportionate."
'My network, my fucking rules' - aka behave yourself, or you can fuck right off.
If Packet.tel is claiming "damage" because they're being _boycotted_ (ie, outfits across the network are refusing to do business with them) then perhaps they should have thought their business model through before they started that behaviour.
- Your IP connection is supplied by your ISP to you under a contract.
- They buy from their supplier under another contract.
- Even if those contracts contain a clause that you have guaranteed access to MY network, it has zero legal standing if they don't have a contract with me where I agree to it.
- Companies which fail to comprehend this and have tried to litigate to force access to networks that they have no contractual agreements with (aka, forced acceptance without a contract) have found themselves in very _very_ hot water.
My personal experience with SpamHaus is *much* better than with Google or Microsoft, which are much more opaque when you're not using their services.
I've been listed by all 3, and SpamHaus was by far the easiest to delist, and that's as a mere individual. The "death sentence" bit seems rather exaggerated.
Spammers did NOT give any of those "researchers" permission to scan their honey pots, so every one of them should STAY in the blacklist.
The difference between "good researchers", and "bad actors" is *permission*.
I got scanned without giving permission, and the "researcher" helpfully offered to tell me how to fix my problem, for money, and when I refused to pay, I got a barrage of threatening and abuse emails, and he's continued to harass me every month for over a year now.
There is no such thing as a "good researcher" who's doing stuff WITHOUT PERMISSION - just shades of grey.
It's a bit funny because this kind of "researchers" whine about not being able to scan someone else's network for money, exactly like Spamhaus now whines about not being able to get all whois info since GDPR forced to hide most of them.
While I understand that some kind of activities are easier when there's an easy access to something, it's also clear that there are sometimes downsides too - whois data with personal addresses and telephone numbers of people are a good example.
What could have been acceptable previously, may become non acceptable later - and those impacted have to cope with it.
I have to agree with Spamhaus on WHOIS data not being available is a bad thing. Before GDPR, I used WHOIS to figure out what companies were receiving my browsing fingerprint when I opened a site. I now have very little to go on when a website starts using joes.tracking.services, and I then try to figure out who owns Joe's so that I can decide if I trust them or need to block them.
I now have very little to go on when a website starts using joes.tracking.services, and I then try to figure out who owns Joe's so that I can decide if I trust them or need to block them.
I thought the answer to that was bloody obvious. Tracking service? Cannot be trusted!
The real issue now is I no longer can use whois to tell me who to distrust from now and forever more.
Unluckily many registrars required your full details from ID cards or the like and put them into your WHOIS record. It simply became too dangerous to have all those details easily available.
Spammers had no problem because they can register domains when entering fake data is far too easy.
This is the problem with self-appointed guardians of the interwebs. I used to have endless problems with Spamhaus. My email was provided by a major ISP. Some other user who, presumably, was in the same IP pool as me may have done something unwise from time to time, which ended up with everyone who got dished out that IP being blocked by Spamhaus. About once a week I'd have to apply to Spamhaus to get it unblocked, which could take 48 hours. It became untenable. But my frequent queries to Spamhaus - about why & how they were blocking were treated either with arrogance or were completely ignored. I had to change my email setup because it was affecting my business. The terms 'self-important' and 'pompous' were coined for this bunch...
It looks the problem was also with your ISP that let people spam at will from its addresses.
It happened to my lawyer, she was using services like mail managed by a local IPS, which routed all outgoing emails through a single SMTP server. When some other customer used it to spam, it ended in all known blacklists probably.
Is this a blacklist fault? No - it's an ISP fault - blacklist do see a spam issue, and do their work to protect those using them.
And they usually do - but if an ISP doesn't monitor outgoing email flows and can't caught a a customer spamming, its IP(s) will end in many blacklists - and then they will need to ask for a removal. If the ISP was caught often - showing it has no will to stop spammers - for incompetence, laziness or greed, the removal can become more difficult.
"The ISP and Spamhaus should be able to work together to resolve the issue."
In general ISPs as described respond to being listed by screaming their tits off about damage to their users, and their "RIGHT TO SEND EMAIL"(*) instead of actually removing the spammer.
In cases where ISP servers end up repeatedly listed due to spamming events, ISP customers should take a hint and vote with their wallets.
(*) There is no "right" to send email. It's a privilege, extended by receiving networks and it can be revoked at any time for any reason with no negotiation entered into whatsoever. As soon as some dolt starts ranting about his/her "rights" in this area, you know you have a fucktard on your hands and the best solution is to hang up on the conversation and walk away until they learn a few of life's lessons.
There is no "right" to send email
So.. I've contracted an ISP to provide a service but I have no right to expect that service to be provided?
When you pump petrol[1] into your car, do you expect petrol to come out of the pump - or would you be quite happy with acid, or molasses, or maybe urine to be flowing from the pump? After all, you have no "right" to get what you pay for.
[1] Or whatever fuel you use
You look someone who believes you have a right to spam people, and complain because systems designed to block people like you do their jobs.
Remember no one is forced to use Spamhaus and other blacklists. Those who do, do it exactly because they are tired by people like you hammering their systems with the most useless, stupid, illegal, and often dangerous messages - in most countries breaking the laws that ban unsolicited messages without prior consent.
Feel free to tell us which IPs and domains you're using and used - so we can check who is the real scumbag here.
You look someone who believes you have a right to spam people, and complain because systems designed to block people like you do their jobs.
You look like someone who jumps to weird conclusions with little knowledge of the facts.
You're claiming that I have committed illegal acts (El Reg please take a look at this!) - you have accused me of criminal offences - with no knowledge of who I work for, what I have done etc etc etc.
Short of traffic tickets and the like I have committed no crimes and I challenge you to show otherwise. On the other hand, in many countries your accusation could well be classed as a criminal offence. Shall we put that to the test?
Like many, I have conducted legitimate and legal business practices. The communications have not been send "unsolicited" with the exception of requests to other firms to conduct business with them, eg a first contact to Dell requesting parts for the repair of their hardware.
It is not up to judgemental scum like yourself to act as judge and jury and decide if my business or those of my customers is right or not just because we're not paying some large corporate to handle our email for us.
No I would not ever give out such information to someone like you. It's not hard to find.
You are exactly the same sort of dangerous and absolutely nasty type of person that runs places like spamhaus and causes normal and law-abiding business owners and their techies no end of trouble.. You and your ilk deserve to spend the rest of your lives away from decent people.
"They may be self-appointed"
but so is every organisation that runs a mail server and Spamhaus didn't sneak out one night and install use of their lists into those mailservers.
It's not overly surprising that the loudest whiners in the "Spamhauze blocked me" crowd have tie ins to the "alt right" and fake news generating crowd. The same mentalities tend to apply.
It's not overly surprising that the loudest whiners in the "Spamhauze blocked me" crowd have tie ins to the "alt right" and fake news generating crowd. The same mentalities tend to apply.
Wow.. First time I've been linked to "alt right" nutjobs! This is indeed a special day!
In my experience if people end up on Spamhaus block lists they’re either doing something which is (if not actually deliberately abusive) sloppy or they’re buying services from a provider which allows (or occasionally encourages) users to get away with abusive or sloppy practices. Either way the solution is in their hands by either stopping doing whatever it is that gets them blacklisted or moving to a more professional provider, and it’s not Spamhaus which is the problem...
Seems like a lot of anti-Spamhaus feeling here. Makes me wonder.
I'm a happy user of the Spamhaus BLs, have been for decades, and their service is one of the best of the dozen or so that I currently use.
Around 40% of the incoming mail connections I see are from IPs listed by Spamhaus. Those connections are immediately dropped, and usually tarpitted.
The only other list I use with comparable effectiveness is bl.fmb.la, it's about as reliable but it's more like a 30% hit rate. SORBS hits over 40%, but in my experience is less reliable so their results are weighted less heavily.
Being objective about it, there's a startling correlation between listings at Spamhaus and the unwantedness of mail connection attempts.
In my view if you've had to switch providers because Spamhaus listed your IP, it's not the fault of Spamhaus - its the fault of the provider. Many of them have already been named here, and I thoroughly agree with the assessments. Some of them really are fucking nuisances and I'd dance on their graves.
"Seems like a lot of anti-Spamhaus feeling here. Makes me wonder."
Don't. This is the usual trollfest.
The lack of evidence to support claims of "unfairness" or "arrogance" or "refusal to provide evidence" should be ample clue that the posters have been let out way past their bedtimes and mummy has given up calling them in for tea.
The lack of evidence to support claims of "unfairness" or "arrogance" or "refusal to provide evidence" should be ample clue that the posters have been let out way past their bedtimes and mummy has given up calling them in for tea.
Spoken like a true fanboi troll.
In most jurisdictions, in a large % of criminal trials, witness testimony is enough to convict. In the vast majority of rape and sexual abuse trials witness testimony is the only evidence used to convict (he says "it was consensual" she says "it wasn't", no physical evidence since months or even years have passed). For many murder trials there is little or not physical evidence left (if the body is found years later - and in some cases the body is never found) so it may be the evidence of "I saw someone in a white toyota pick up a hitch hiker" that is the strongest evidence.
So for your "refusal to provide evidence" - here we have a number of cases of first-hand witness testimony stating that Scumhaus has harmed legitimate businesses and caused harm to innocent people. It's plenty enough to convict someone of rape so should be reasonably acceptable here.
For many we cannot give any more evidence because of corporate, security, privacy and all sorts of other things. For me, in part I simply no longer have the evidence nor even access to the machines - it was some years ago and I have moved on.
But even where the material still remains in my hands I won't give it. I know your type of troll, and whatever I was to present here you would simply claim it was faked. Scamhaus themselves could put up the materials on their website, agree with everything I say and admit we're right they did act in a terrible manner, but you would claim it was somehow made up and not real evidence.
These scum caused enough stress. Why should we open ourselves up to more abuse by 'people' (I use that as loosely as possible) like you?
"A SYN scan, or half-open scan, waits for a SYN-ACK response from the server and if it receives a response, it does not respond. Such events generally are not logged because a TCP connection is never consummated. These port scans may be malicious reconnaissance or legitimate market and internet research, and the difference is not always obvious."
Having watched quite a bit of traffic, I'll assert that sentence #1 describes unwanted (and thus block-worthy) traffic. A "legitimate" scan would send a RST in response to the SYN-ACK, which would distinguish it from a TCP half-open attack. I recently appeared to have provoked some multiple addresses in ASN55679 to do exactly this (SYN, SYN-ACK, silence) and have since tweaked net.ipv4.tcp_synack_retries=1 and am considering 0 retries (the default is 5).
I whitelist research scans when they provide a tidy list of origins with which to so do — not all do, nor do all provide an easy way to assess the origin, such as providing an explanatory web page at the scan origin address.
Hi, this "Curious case of Spamhaus" story has a lot of people either incensed at the apparent arrogance of Spamhaus dismissing as codswallop it "has been automatically blocking people for carrying out legitimate network port scanning and failed to provide a prompt means of redress" or, it has people scratching their heads because it's well known that Spamhaus lists certain types of port scanning activity, we even say so in our SBL FAQs. This story therefore opens with a perfectly valid issue, why on earth would Spamhaus dismiss it? (even worse, refer to it as "codswallop"!).
Well, We didn't. If you give me 2 minutes of your time you'll see why:
https://twitter.com/LucRossini/status/1119715551583068161
No matter what your opinion of Spamhaus; whether we're crap, great, evil bastards or good guys; your opinion is always valid as long as it's not based on fallacy. What this Register story bases its entire opening premise on, and sets the scene for you with, is fallacy. Thanks for your time.
Well, We didn't. If you give me 2 minutes of your time you'll see why:https://twitter.com/LucRossini/status/1119715551583068161
Interesting. I try to follow your link, and Twitter responds with large letters saying "Sorry, that page doesn’t exist!"
No matter what your opinion of Spamhaus; whether we're crap, great, evil bastards or good guys; your opinion is always valid as long as it's not based on fallacy. What this Register story bases its entire opening premise on, and sets the scene for you with, is fallacy. Thanks for your time.
Posting a broken link in rebuttal does not do you many favours.
Now please... Do the world a favour.. I'll give you a couple of options. My preference is that you close up shop, sell all your hardware and give the money to the poor, then go and turn yourself in to the UN, any local police station etc, let them know you've committed a great many crimes and have cause a hell of a lot of harm to innocent people, and spend the rest of your life in jail.
Alternatively, just fix your systems so you're not causing innocent people harm. I appreciate the intent of your system, but I do not appreciate the great many hours of stress trying to get blocked businesses un-blocked, nor do I appreciate the potentially thousands of opportunities myself, my friends and my customers have missed because you lot took it upon yourselves to decide what was a good or a bad business (eg a small business just starting out on a very tight budget only registering their domain for a year and using a previously unknown server, ie their own server they just built also on a tight budget).
The hate and bitterness towards your firm from your innocent victims is well deserved. Stop doing harm. Either do your job right or stop doing it altogether.
Kiwi,
From your description of what was listed, which I gather was a newly registered domain on a newly set up mail server, you probably encountered our ZRD blocklist. ZRD is a blocklist that in fact automatically lists all new Internet domains for 24 hours. The purpose of ZRD is explained properly at the url below - but basically boils down to the vast majority of newly registered domains being malicious. Phish, malware, ransomware, etc., is almost entirely newly registered domains that begin mailing within minutes of appearing, while it's very very rare for normal domains to start sending mail immediately after registration.
Obviously there's always that rare exception where a freshly registered legitimate domain does start mailing right after being set up (such as in your case) and, if the message recipient is a customer of a network that uses the Spamhaus ZRD, the incoming message would be rejected by the recipient's mail server (which I assume is what happened in your case).
Spamhaus ZRD (what is it, how it works, and why):
https://www.spamhaustech.com/news/recently-registered-domains-how-to-avoid-the-risks/
ZRD sounds familiar (however I did spend a lot of time trawling over stuff back then so may've encountered it as a result of other research), however...
I'm fairly certain (no way to check) that the domains were registered and then the servers built, nothing running (as such) initially except maybe a holding page. That said I was building my server before we came up with the business name so perhaps some test emails pretty quick after the server went live.
But in other cases, the domains weren't sending straight away. In at least a couple of cases it was some weeks before they started using the domain for email.
I do recall that some of the issues was that we were initially using Paradise, by that stage brought out from Vodafone. I believe Paradise had a low reputation (was not my choice of ISP - was a legacy issue) but that shouldn't really matter.
For a little while one server was hosted on a home-based VDSL connection because of physical cabling issues at the business premises, but that still doesn't justify blocklisting someone. The email server complied with and even exceeded the standards for the day, had not been used for spam/UCE, so why blacklist?
As I think I stated earlier, one of the issues was only listing for a year at first - I also don't see that as a reason to blacklist given that many startups are done on a very tight budget and even at $NZ50 or thereabouts for a 2-year registration (IIRC - maybe the next step was 5 years so around $120NZ - I honestly cannot fully recall this stuff now :) ) it's asking a lot of a very tight budget. We built the business with a starting budget of $1500 - that had to buy the first month on a lease, power and phone/internet connections, domain, hardware, benches, some tools, advertising... But I digress.... (I remember the tears of a dear friend when talking hosting options and I told her the cheapest suitable was $120/year, before I said "Look, I'll build the site and host it on our server - it won't be as fast as we only have a VDSL connection (no fibre at our business then) but it'll get you going". Although they used another setup for email (I think a pointer to hotmail - don't blame you for blacklisting that!) they did run into issues as well with their site being visible due to someone's blacklist. Apparently co-hosting on VDSL makes us criminals or something (at least according to LDS.. :) )
We are going back some 5 years, I've since moved into other areas, so memory of some parts of the events could be cloudy, however there still was issues (more than once) with us being blacklisted because your systems automatically assumed we were doing bad things based on rather dubious concepts of what is or isn't bad practice. You chose to punish us not because of what we had done, but because of what others on our first ISP had done, or because you simply didn't like that a server had sat on a home VDSL, or that you didn't like that we were a small business with a short registration period until we got established.
LDS claims I am probably a criminal because I wanted to run a business from a small on-premesis web and email server. He would judge me, and the many millions of business owners like me, as sending "useless, stupid, illegal, and often dangerous" emails simply because we chose to host our own servers rather than pay someone else to do it. Is that really the sort of person you are, or who you would wish to side with? From your discussion here, I would expect otherwise - I am seeing a much nicer side than the machines I was dealing with in the past.. But from the machines and issues I dealt with in the past, s/he does seem much like the sort of person you would applaud.
I want to make this world a much better place, to see people struggling less and enjoying more. I want business and trade to be as easy as possible (while I really still would like to see NZ businesses get more of the local $ rather than Ali Express and Ebay etc getting our money). I hate people being 'punished' or in other was made to suffer or struggle just because someone thinks an automatic restriction would be a good idea.
Please, revisit your bots and make sure the automation isn't going to cause anyone harm. Don't act based on what someone like me did, act on what I do. Punish me for my mistakes, not for JoeSpammer's actions. And don't punish the next guy for his mistakes. Your system cost us a hell of a lot, and made it a lot harder to start a new business up and running. You made it impossible for us to communicate with our customers by email, and we lost some we dealt with face-to-face early on because they saw that we had a reputation as being 'spammers' even though our business had only been running a few weeks. Obviously we were bad, the good people at SH would never make mistakes or judge someone based on other people's actions.
Take more care about who and why you blacklist. Don't consider a server 'bad' until it misbehaves. Watch, perhaps, but don't act. Be ready to act at a moment's notice, but not until they actually do something wrong. Sure, you'll not be able to prevent some things, but you will no longer blacklist legitimate business owners just wanting to act in a perfectly legal and maybe even honest manner.
That's why I am pissed at you and your firm. You helped make a difficult time even harder.
Spamhaus ZRD (what is it, how it works, and why):https://www.spamhaustech.com/news/recently-registered-domains-how-to-avoid-the-risks/
Just followed your link, and see in the article "Legitimate organisations will rarely activate a domain and start using it immediately after registration
Er, why would you even begin to think that? Someone comes up with a business idea, they get a name, check and find they can register it (or a close name to what they want), register the name and then.. Sit and wait a few years before they begin to trade?
WTF????
No. Newbie business owners want to start being able to trade immediately. Thanks to the quality (as much as it pains me to admit this!) of template-based sites like WIX and other such "build and activate your site in 10 minutes" template-heavy places, business start ups can have a reasonable and functional site going inside of an hour after coming up with the idea.
I've seen this happen dozens of times in the last year even though I am now well out of that area of the industry (well nearly seen it, some take a few days to get to putting up a site). They want to have a business card and business email and website etc, and get it all running ASAP.
And yet you think it is not legitimate to want to use your domain name the moment you get it registered? What the hell is up with your thinking? How do you come to this conclusion?
No wonder you mis-treat people and cause so many headaches!
BTW, my issues with your firm were before ZRD was running so no, not that causing the problems.
My apologies, the correct Twitter link is:https://twitter.com/LucRossini/status/1120344302847234049
Thanks. I'm not a user of Twitter, and don't turn the JS on to view it either. As far as I can tell nothing is hidden from me with that, and so it seems that most of the posts (on this topic) are just you replying to yourself :) But not a user of twitter and could be missing something.
Anyway.. I agree that hanging or praising someone should be based on their merits, not what others mis-say about them. I base a lot of my dealings with people (and what I say about them) on personal experience.
My experiences with SH have been maybe a little bit of spam or other stuff avoided, but a LOT of stress due to people winding up on your blacklists who shouldn't be there. As I said elsewhere, the most common one seemed to be new business owners emailing from new domains. Legitimate business emails, if any form of UCE then they were emailing a potential business partner seeking legitimate trade.
I respect what you have tried to do, I respect that you have acted to stem the tide of crap that floods the internet. But your original goals have also caused others a great deal of pain. Yes, I even respect and agree with blocking where un-requested port scanning is going on (at least send an email saying you're doing or have done it - I have seen (and blocked) research orgs BECAUSE they failed to talk first - but now wonder was their failure to communicate because of them, or because of YOU?) . Automating a lot of stuff helps people out quickly, but it should be as quick to un-block as well, especially where it is a new business.
You have potentially cost people their business. It is feasible that has even led to some people being so despairing that they have harmed themselves or others (hopefully unlikely though). I appreciate your goals. I appreciate what it is to work to better the world while being reviled. I appreciate that it is largely "free" to others. I don't appreciate that some of us have had to pay a LOT to deal with your systems going overboard though.
So please, get it sorted so we never see another article telling of how your 'service' caused pain to others. Well, except to spammers and scammers - them you can cause as many headaches for as you like (while they're being naughty and harming others).
Spamhaus has always been malicious in the way they list IPs and subsets. They have taken covert contracts from rogue governments seeking to propagate ideology or to censor the propagation of opposing or dissenting data, they have attacked critics to the point of being hit with one of the internet's most aggesssive DDoS attacks, they have operated under international freedoms and hired American mitigation companies to coerce American law enforcement to stop said attacks. Spamhaus are no more than old script kiddies living off their egos in their parents basement.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
