Deluge of of entries to Spamhaus blocklists includes 'various household names'

Re: IT much?

I ran my own email server for years but I gave up in the end because Spamhaus kept blocking basically any email coming from my ISP's range. I had a static IP from them and I had SPF records set up and never sent any spam, just normal work and family & friends emails. But I got blocked anyway.

So, yeah, fuck 'em.

Re: IT much?

What I can’t understand is how this is a story. When will Ms Dobberstein write a follow up “spammers try to get Spamhaus cancelled on Twitter (and we write an article about it). Fails miserably”

Re: Lack of feedback

"In this particular case there was only a handful of people in the office but it still wasted hours of our time in investigating potential sources."

Well, there you have it - Spamhaus's time wasn't wasted, so why would they care?

Re: Lack of feedback

-> we can find no evidence of any spam being sent

Did you read the link in the article? Here's a quote: "Our researchers are observing mail being repeatedly sent to multiple mailboxes that have NEVER accepted one single message from the sender."

Perhaps you or your clients have a mailing list which has a lot of dead email addresses on it. I have seen this personally many many time.

Now you mention it, I do wonder why nobody's done this yet. Especially in the English courts, where that sort of thing can get very messy and very expensive very quickly.

People have tried in the past, usually without much success because often the industry supports their efforts. Plus if you clearly state the rules for inclusion, I suspect it'd be hard to argue defamation, especially when the actual blocking/harm is done by other parties who want the service and to reduce spam.

One of my proudest moments as a fledgling network engineer working for one of the largest global ISPs was about this. I used to monitor the net.abuse newsgroups for mentions of us, or our AS or IP ranges and spotted people complaining about open relays.

Our sysadmins seemed disinterested, so I kicked it up the food chain muttering things about being a good neighbour, reputation damage etc and the relays were closed the next day. Then there was a nice post from one of the complainers saying they'd spoken with a neteng, and next day, the problem had stopped. And from an enlightened self-interest pov, so had the traffic levels on some very expensive transatlantic capacity.

No case to answer

It's certainly not libel: they are not making fraudulent or defamatory claims about people. Spamhaus is a data aggregation service, complete with T&Cs which other entities choose to use to filter e-mail. There is no guarantee of e-mail transmission anywhere.

Except what you describe has nothing to do with SpamHaus: they do not make email vanish.

The mail admin of Channel 4 did, and their decision to not provide a bounce to the sender goes against SpamHaus recommendations. My server sends a bounce, it includes a link, just click on it to get an explanation and how to get the IP out of the list.

-> In the end Spamhaus had blocked an entire range (not just a block) because of one offending IP

I'll give you my take on this. On our servers, we have never seen even one legitimate email from Linode or Digital Ocean IP addresses. Not a single one. Nor did we ever see any legitimate traffic at all.

What we do see (or did see) practically every day was script kiddie level scanning for vulnerabilities from IPs in those ranges. Should we keep adding their IPs one at a time, in the kind of certainty where I would put £1,000 on it that we would get more bad traffic from more of their IPs in the coming days? Or did we take the blunt instrument and block all traffic from those IPs completely and stop wasting our time on it? I'll let you decide the answer.

I don't know what Spamhaus' practice was, as you say, about 20 years ago. Perhaps they had other reasons.

I get why server admins use Spamhaus, but they must miss A LOT of genuine communication by doing so. Seems more trouble than it's worth to be honest.

As with everything, it depends on how you use it. My anti spam filtering solution gives messages a score, and predefined things happen with certain score ranges. (eg, deliver to mailbox, quarantine, delete outright)

Personally I do use Spamhaus, but the score imparted is just over that of quarantining just on the basis of being listed.

However, you also get points deducted for using certain words, so a legitimate email containing words commonly used in our industry would get it through the spam filter despite being listed. An email not containing such words, and containing spammy words such as "unsubscribe", "viagra", etc etc etc would remain in quarantine, unless it pushed the score up to the point that it's deleted outright.

Email should never disappear. That's a serious configuration error.

Mine refuses to accept delivery of spam. If any email to me vanishes, it's the sender's fault. I'm looking at you, SendGrid.

Re: I agree with Spamhaus' reasoning

If the mail addresses exist, how do you get a "user unknown"?

And why keep alive mailboxes that are have not been used for 18 years?

Re: A vote for Spamhaus.

I used them too on my mail server until I moved provider to EE at which point no mail came through. Disabling the Spamhuas check unplugged the blockage so I have the choice of a provider which has been good in all other aspects and just deal with the Spam or else go back round the 'which ISP do I try next whack-a-mole

Re: A vote for Spamhaus.

"Spamhaus policies are too conservative"

Definitely, that's why we use in parallel our own (huge) blacklist, containing among others a lot of those newfangled TLDs -- yes, the whole TLD. As requested by our users, who were spammed silly by numerous fly-by-night domains on those TLDs (".casa", ".website",".top", just to name a few).

And FYI, in 30 years no user has ever complained about legitimate mails disappearing. You can say whatever you want, but it works for us so we are not going to change it for some misguided cheapskates who chose to use spammer resources. Sorry, it's "lie down with dogs, wake up with the fleas" as they say.

Re: I thought that the problem was obvious....

[quote]

In my opinion Spamhaus is the problem. If they admit that they are blocking emails of commercial entities then I would say it is time to pack up and rely on SPF and domain validation as this apparently works.

[/quote]

Spamhaus doesn't actually block anything, it offers an opinion which its users are free to ignore if they wish. For example if I want to, I can whitelist some poor schmuck who happens to be stuck with OVH.

Apparently you've no idea what SPF is about so I suggest you take a look at RFC7208.

Re: I thought that the problem was obvious....

Did you know that companies who send spam are all commercial entitites?

Blocking mail from commercial entities is exactly what Spamhaus are supposed to do.

I've never known Spamhaus to make mistakes

The only out and out mistake I've seen was accidentally listing one of Postini's netblocks for a couple of hours somewhere around 12-15 years ago.

Re: Spamhaus are NOT the problem, spammers are the problem!

"their domain was hosted on the same host as my domain"

You should have a different IP address and thus be a clearly different entity. Bigger hosting companies host many thousands of different websites, do you really think one bad apple in there would automatically block them all?

Now if you use a cheapskate hosting solution where several websites live on the same IP address (redirected locally by the host), it's your fault: It means you took the risk of being bundled together with whoever is your co-tenant(s), since only your hosting company can keep you apart. You pay less, but you willingly take a risk, don't complain if it comes back to bite you.

Re: Open Resolver Public DNS problem, 8.8.8.8

Hi, a layman's explanation.

Consider the following route that emails follow when Bob emails Joe

Sender (Bob) -> Senders Mail Server (Twiki) -> Receivers Mail Server (Kryten) -> Receiver (Joe)

Bob clicks send

Bob's email is passed to Twiki

Twiki Passes the email to Kryten

Kryten delivers the email to Joe.

- However When a DNSBL is involved

Bob clicks send

Bob's email is passed to Twiki

Twiki informs Kryten an email is ready to be passed to it.

Krytem looks up Twiki on Spamhaus (or other DNSBL) and finds a listing.

Kryten tells Twiki that the email is being rejected, and if configured correctly, gives an accurate reason why.

Twiki tells Bob that the email was rejected, along with whatever reason Kryten gave (if configured)

If anything other than the above occurs, then either Kryten or Twiki is not configured to transport mail according to RFC standards and this is where things go wrong.

So if I read your post above correctly, Bob is emailing Joe, and Joe gets the bounceback notification. This indicates either Twiki or Kryten is configured incorrectly because Bob should be getting the response his email did not get through, This isn't Spamhaus's fault. An admin has configured the mail transport incorrectly on their server.

Re: Different strokes

Unless you are your own ISP (and the IP is not blocked because the PBL), there's almost nothing as a user you can do because it is an ISP matter to solve, especially if your not the issue, so you have no control over it.

It's your ISP that is not delivering the service you paid for, and it's your ISP that has to work to get de-listed. In a post above I told about my lawyer getting her mails blocked because her firm had delegated the management of their domain, website and mail to a company who used shared web and mail servers, because each customer was "small" enough. Inevitably, when one of them started spamming, all those on the same sever got blocked, because of IP-based blacklist and shared server. There is no way to "unblock" a single domain or user, in such situation. There are also domain-based blacklist, but since spammers are able to buy thousands and thousands of cheap domains quickly, while IPv4 addresses are now scarce, they are far less effective.

To get her (and others) unblocked, the ISP had to act to remove the offending sender. Some ISPs drag their feet because it's lost money, or because they routinely ignore "abuse" messages. They might try to deflect their customers' rage towards Spamhaus ("spurious reasons" - who told you so?), but actually the issue is their lack of willingness to do anything to solve the situation.

Unluckily there is no authority on the internet that can tell to an ISP "you're acting unlawfully - surrender your IPs and cease to operate", so people have to defend themselves in other ways, and that unluckily means sometimes someone can be caught in the middle.

I don't know if they refer to the CSS component of the SBL which returns 127.0.0.3 (see https://www.spamhaus.org/css/), instead of a proper SBL listing that returns 127.0.0.2, or to messages they send to IP owners notifying them of a spam issue before adding them to the SBL - from the article is not clear.