SpamHaus – Irresponsible Net Citizens

 | Comments (44)

44 Responses

1. anony netizen Says:
   January 29th, 2007 at 3:16 am

   Its not quite that simple.

   The problem with blocking with a higher granularity is that spammers tend to buy (access to) a range of IPs and jump IPs when they get listed.

   While some ISPs correctly identify the current owners of IP space, many do not. Spamhaus is basically making that practice uncomfortable for the ISPs customers (such as yourself) by blocking the organisation to which the subnet is registered. Rather than calling foul agains Spamhaus, perhaps you should be asking your ISP why they’re associating you with bulk mailers (by not clearly identifying your IP space as being owned by you).

   Having said that I don’t agree with their tactics. As someone who writes detection for an antispam solution, this practice does cause me something of a headache; when our product, that relies on Spamhaus’ reputation database, false pos’s on mail from legit organisations such as yourselves and I have to deal with the fall out. As a result we’re investigating creating our own reputation database.

   Some would suggest this is a form of terrorism perpetrated against ISPs and you innocent bystanders in the war on spam. But I suspect you’d be more qualified to comment on that than I.

2. GJ Hagenaars Says:
   January 29th, 2007 at 4:02 am

   Brrr… anony netizen, you are missing the point.

   The point is not whether or not it is simple to create a reliable reputation database. The point is that spamhaus is knowingly dismissing proof of innocence, and is persisting in compromising the relevancy of their database.

   Normal justice systems (that you and I prefer) work on the premise that you are innocent until proven guilty. Very bad dictatorships assume you are guilty until you can prove your innocence. Spamhaus is pronouncing the verdict “guilty” with associated punishment, completely disregarding proof of innocence.

   Perhaps you should be asking spamhaus what makes it ok to sacrifice legitimate communications in their fight against spam? And while you’re at it, what is an acceptable level of casualties in the form of innocent(!) bystanders?

   Spammers cripple email systems. Spamhaus cripples legitimate communications. I hate spammers. And now, it seems, I cannot trust spam-fighters to -WANT- to have accurate information.

   How stupid.

   –GJ–

3. anony netizen Says:
   January 29th, 2007 at 4:59 am

   Now you’re just being silly. Of course spam fighters want, or better yet NEED accurate information. What we don’t have is the time to research every single domain/IP block candidate fully before blocking it. By the time we’d finished researching, the campaign would be over. Result: the spammer wins.

   I understand where you’re coming from. Your argument shows all the passion of someone who’s been treated unjustly. And I don’t deny that fact. I just think you’re pointing the finger of blame in the wrong direction.

   The implication of your post is that humans at spamhaus are manually making decisions on a case by case basis. The comparison with the sex offenders register (where you name the owner) establishes that picture. And your analogy of a justice system reinforces it.

   The analogy of the sex offenders register is really not a good comparison because the register is dealing with a much much much much smaller number of ‘offenders’ who’ve already been judged and found guilty by due process. Simply put, the sex offenders register offers a level of precision that spamhaus can not hope to achieve (unless, of course, ISPs add a greater level of granularity to their records ).

   Closer to the truth is that an automated system performs a lookup on each of the hundreds of thousands of IP address, finds out who owns it, and adds that subnet to a block list. That your ISP wont spend the man hours to correctly identify each subnet they manage is hardly Spamhaus’ fault.

   Spamhaus’ position is – if you don’t want to be blocked, get your ISP to identify you correctly. Then that problem goes away.

   That you’ve been good netizens and not sent out spam doesn’t really come into it. How are spamhaus supposed to know about that?! And if they try to evaluate every single block manually they’d miss the campaign and the spammer wins.

   Like I said, I don’t like that they do it that way but I can’t see another solutions.

   That all the major anti spam vendors produce stats on what they consider to be acceptable levels of false positives, I’d say, somewhat vindicates spamhaus. The fact is that spammers keep finding new ways to get around detection and we have to keep finding new ways to plug the holes. Sadly, you’ve fallen victim to a side effect of one of those ‘plugs’.

4. Administrator Says:
   January 29th, 2007 at 6:29 am

   Thankf for all the comments. Anon states”

   “That you’ve been good netizens and not sent out spam doesn’t really come into it. How are spamhaus supposed to know about that?! And if they try to evaluate every single block manually they’d miss the campaign and the spammer wins.”

   Actually, I do expect SpamHaus to know as we went through this exact same situation two years ago and our IP was to be whitelisted. They have the capability as they did it back then. Our IP address has not changed in over five years. Adding us back into the list with a whole subnet means they are either lazy or they are trying to FORCE us to switch ISPs.

   We have a single server on a rack owned by a friend that happens to be located at Level3. Both are small businesses and moving the rack to another colo facility is possible, but a huge pain, especially when I know that SpamHaus can whitelist our ISP and also that they know we are an innocent bystander in this whole battle they are having with Level3.

   Again, this is an abuse of their authority. They know they have power because they are so widely used, so they are inappropriately using that power against our organization to try and coerce us to swith to another ISP. Is that acceptable behavior or should they simply be doing the job that we are counting on them to do (yes I used SpamHaus too) which is maintain an accurate spam sources database.

   I can assure you that if there was more awareness about these types of tactics they apply and their treatment of an organization like ours, less people would chose SpamHaus as a solution. We are just here on the net trying to do good work and one arrogant organization can decide to significantly impact our business operations with no justification whatsoever.

   Also, I know that they only provide the list and implementation is voluntary, but they have established a key role in the internet infrastructure space and they need to step up to the responsibility of providing accurate listings.

5. anony netizen Says:
   January 29th, 2007 at 7:32 pm

   And lets say hypothetically, one of your systems had been exploited and infected with a spambot.

   Can spamhaus be expected to accept that, since you were squeaky clean 2 years ago, you couldn’t possibly have been exploited too and quite unaware that you are sending out spam now?

6. Matt Devost Says:
   January 29th, 2007 at 8:44 pm

   Anony,

   That is a stupid hypothetical. Had one of my systems here been accused of spamming, I would expect to have to evaluate the circumstances and work with SpamHaus to figure out why we were listed.

   The point you are missing is that none of our IPs are being listed (we only have one). Look at the SpamHaus record, we are being listed because another IP address in our subnet is being accused of spamming. Our crime is “living in a bad neighborhood” by SpamHaus’ standards. According to my friend Bob Stratton, the whole Internet is a bad neighborhood, so what is a company to do.

   Listing the whole subnet when only one IP address is accused of spamming is lazy and irresponsible, which is the basis of my complaint. What is even worse is we have no avenue to address it based on our ISP. SpamHaus will only deal with the accused!

   We went through our first full business day and this is still not resolved. Can you understand my frustration under these circumstances? We have NOT been accused of spamming. It is not a matter of we had a squeaky clean IP and then get reported and our asking SpamHaus not to list us based on past reputation. They are listing us with no evidence of spamming from our IP address! If they want to list 200 other IP addresses in our subnet for spamming, they are welcome to. Just leave our IP address alone and don’t coerce us to try and leave Level3!

7. Shephard Says:
   January 30th, 2007 at 3:03 am

   Spamhaus have three databases
   - One where spam has come from (SBL)
   - One where no email should come from (PBL)
   - One from where exploits come from (XBL) -[includes CBL and NJABL sources]

   Which one(s) are you listed on?

8. Egil Kvaleberg Says:
   January 30th, 2007 at 3:15 am

   Matt,

   if you switch to an ISP that takes spam seriously, you will not have problems. One major problem of spam is ISPs that doesn’t care. Due to their sloppy practices, their innocent customers gets hurt. Bad, but if that customer switches to a better ISP we all win, and the lazy ISP looses business.

9. bill ries-knight Says:
   January 30th, 2007 at 4:55 am

   I manage the server and domain for my employer. About 2 months after I began work last fall the linux firewall server was hacked and broke. By the time I was aware on Monday it was too late. SPam had been sent out. I found out when email bounced and followed the procedure in the bounce response. The block was lifted immediately. I spoke with a person at the phone number listed and the technician at Go-Daddy confirmed verbally that it was a single spam report from the time the server was hacked.(I suppose one nice thing about them can be said.) The result is the domain is clear. If it can work that easily for us I find it very upsetting that they are not following rules and procedures they put forth themselves. Knowing the domains controlled by Go-Daddy, I can easily imagine the number of bounces you must get. It does sound bad.

10. Administrator Says:
    January 30th, 2007 at 6:05 am

    Shephard, we are on the SBL database. The actually record is linked above in my post. If you click on the link, you see that we are listed, not because we spammed, but because we are in the same subnet as an alleged spammer.

    Egil, which ISP would you recommend. We are at Level3 which is a well established ISP here in the U.S. However, SpamHaus should not be trying to coerce people into switching ISPs because they maintain a spam database. That would be illegal in the United States. It makes them no different than an organized crime group that forces businesses to pay extortion money to keep the business “safe”. They should be worried about whether our IP address spams or not. That is the objective role the community has come to depend on them to provide.

    Right now they are violating their trusted objective position to try and coerce or extort us to switch ISPs. Maybe they will keep listing us until we switch to an ISP that makes fat donations to SpamHaus?

11. Arne Bolen Says:
    January 30th, 2007 at 8:02 am

    Your domain terrorism.com has two MX servers listed and your domain terrorism.org has one MX listed:
    mail.terrorism.com 63.210.43.55
    mail.cryptonetwork.com 192.148.252.155
    mail.homelandsecurity.com 63.210.43.55

    A SpamHaus lookup shows:

    63.210.43.55 is not listed in the SBL
    63.210.43.55 is not listed in the PBL
    63.210.43.55 is not listed in the XBL
    192.148.252.155 is not listed in the SBL
    192.148.252.155 is not listed in the PBL
    192.148.252.155 is not listed in the XBL

    In your posting you claim “We’ve operated on the same single static IP address for five years” so it is safe to assume you are sending your outgoing mails through your IP 63.210.43.55.

    Your statement “For example, right now my organization the Terrorism Research Center is being blocked by SpamHaus.” is not correct as SpamHaus is not listing your IP 63.210.43.55.

    In your posting you also claim “This is exactly what SpamHaus is doing to TRC right now”. The link you provide is:
    http://www.spamhaus.org/sbl/sbl.lasso?query=SBL50488

    This links shows the listing for 63.210.43.133/32 which is a single IP address listed on the Spamhaus Block List (SBL). This is NOT a subnet listing, just a single IP address listing.

    The listing of IP 63.210.43.133 does not affect your IP 63.210.43.55 thus you should have no problem at all.

    Could you please explain why you believe SpamHaus has listed you as it is very clear you are NOT listed in SpamHaus.

    Unless you are using the IP 63.210.43.133 for outgoing mail you should have no problem at all.

12. Administrator Says:
    January 30th, 2007 at 8:31 am

    Arne,

    Look at the date of my post (January 28th). Now look at the date that SpamHaus record was updated (January 30th). They have obviously modified the listing as off today to block a single IP address. This is great as this is exactly what they should have done in the first place. The change is likely the result of my issue being sent to Politech and its associated readers late last night, many of whom started to make some noise on this.

    SpamHaus changed the listing today. The prior listing that the link pointed to was for 63.210.43.0/24, which did impact our IP address of 63.210.43.55.

    Please don’t imply I am making this up because SpamHaus changed the listing. They were blocking the entire subnet, now they are not.

    This issue is far from over because we need to hold SpamHaus accountable for their lazy and coercive practices. They should not be blocking entire subnets, especially when they have proof that doing so will hurt legitimate organizations (we provided that proof in 2005 to them). They should not use their status as the maintainers of a widely used spam database to coerce organizations to switch ISPs. They need to stay in their lane and focus on providing accurate listings.

13. Arne Bolen Says:
    January 30th, 2007 at 8:42 am

    I subscribed to your TRC-Alerts mailinglist and I received both the confirmation of subscription mail and the Welcome to the TRC-Alerts@terrorism.org mailing list mail.

    My mail server does not accept any connections from IP addresses listed by SpamHaus thus this confirms clearly you are NOT listed by SpamHaus.

    Your mails were sent from IP address 192.148.252.155 which is NOT listed by SpamHaus.

    I suspect you don’t know what “/32″ means in 63.210.43.133/32. It seems that you believe /32 means a subnet listing, which is not correct. /32 means just a single IP address.

    If you go to http://www.dnsstuff.com and scroll down to CIDR/Netmask you can learn more about what /32 means. You can also learn more at:
    http://www.answers.com/main/ntquery?s=CIDR&gwp=13

14. Arne Bolen Says:
    January 30th, 2007 at 8:53 am

    The time stamp for the SpamHaus record is 30-Jan-2007 09:34 GMT, four hours ago.

    Two hours ago you wrote:
    Administrator Says:
    January 30th, 2007 at 6:05 am
    Shephard, we are on the SBL database.

    That is 2 hours later than the SpamHaus time stamp. For a reader it looked like you did not understand the 63.210.43.133/32.

    I have only seen 63.210.43.133/32 in SpamHaus and my posting was according to that.

15. Administrator Says:
    January 30th, 2007 at 9:18 am

    Yes, shame on me. I did not check the listing when I woke up and the listing had changed since I had gone to bed.

    A more accurate response is we WERE on the SBL. I didn’t realize they had changed the record when I posted my reply.

    Core issues are still up for discussion.

16. Arne Bolen Says:
    January 30th, 2007 at 9:46 am

    I suggest you daily check:
    http://www.dnsstuff.com/tools/ip4r.ch?ip=63.210.43.55
    http://www.dnsstuff.com/tools/ip4r.ch?ip=192.148.252.155

    It is always good to know if the IP addresses used for outgoing mail are listed on any DNSBL.

    You also have no SPF record and I strongly suggest you add the following records to your DNS:

    terrorism.org. IN TXT “v=spf1 a mx -all”
    terrorism.com. IN TXT “v=spf1 a mx -all”

    By adding these SPF records to your DNS you are making life a lot easier for us mail admins. Today I can’t exempt your mailing list mails from passing through SpamAssassin but if you add these SPF records I can exempt you. Because if you add these SPF records I know that your mail really is coming from your hosts and not from some spammers hosts.

    Please read more about SPF at:
    http://www.openspf.org

17. bill ries-knight Says:
    January 30th, 2007 at 10:29 am

    Civil Persons, please stop shouting!

    It seems SpamHaus is operating in STEALTH mode and not being transparent. This is the approach that happens at SPEWS and the reason we don’t offer any trust to the SPEWS list. There are too many good ip’s blocked by their hidden process. It is interesting that a post goes in on the 28th at > which links the event reference number and nothing happens until after a posting in the politechbot list on the 30th. I am reposting this as well to the politechbot list.

    From what I would gather it seems that SpamHaus has at least one intelligent individual that reads Politechbot. Perhaps not evident but the timing is interesting. We need to recall that SpamHaus is on GMT and they work accordingly. Declan’s post went out Tue, 30 Jan 2007 00:40:23 -0800 (PST)and the record of the complaint was “created” almost 90 minutes later. >. I do not see any removal of a similar ip range. It seems SpamHaus is operating in STEALTH mode and not being transparent. This is the approach that happens at SPEWS and the reason we don’t offer any trust to the SPEWS List. It is interesting that a post goes in on the 28th, links the event reference number and nothing happens until after a posting in the politechbot list. I am reposting this as well to the politechbot list.

    the full list of changes is here.
    From SpamHaus. The latest 25 lists are transient by nature so a snapshot is handy.

    Latest 25 listings

    Listings in yellow are known spam gangs with ROKSO records

    SBL50629
    81.80.228.135/32 francetelecom.com
    30-Jan-2007 13:57 GMT Persistent porn spam emitter at spss.com

    SBL50619
    82.138.77.192/28 cogentco.com
    30-Jan-2007 13:35 GMT logoshaker.com spam from mailflipX.edt02.net

    SBL50628
    210.245.160.139/32 newworldtel.com
    30-Jan-2007 13:24 GMT “Etty Productions” | HerbalKing

    SBL50627
    194.203.152.104/32 uk.uu.net
    30-Jan-2007 12:22 GMT win2padmz.winchester.gov.uk: compromised server

    SBL50626
    221.122.60.133/32 chinacomm.com.cn
    30-Jan-2007 12:11 GMT trm.cn (site)

    SBL50336
    204.15.134.124/32 ndchost.com
    30-Jan-2007 10:57 GMT Source of proxy/botnet hijack spamming (Anthony Ferlanti)

    SBL50488
    63.210.43.133/32 level3.net
    30-Jan-2007 09:34 GMT Exemplar/s2u2.com spamming scraped spamtrap addresses

    SBL50625
    71.6.157.0/24 cari.net
    30-Jan-2007 05:25 GMT Stephen Harper AKA camcoocay.com

    SBL50624
    66.36.244.26/32 hopone.net
    30-Jan-2007 05:22 GMT Stephen Harper AKA camcoocay.com via Hydra Media

    SBL50623
    216.82.108.0/28 e-xpedient.com
    30-Jan-2007 05:21 GMT Irv Freiberg – Absco, LLC – WayBeyond Communications

    SBL50622
    86.105.230.0/24 terranet.ro
    30-Jan-2007 00:53 GMT ns1.woleza.net / ns2.mogery.net

    SBL50621
    195.117.192.67/32 tpnet.pl
    30-Jan-2007 00:43 GMT spamming http://fghtng.eartlit.com/

    SBL50620
    64.41.126.140/32 hostway.com
    30-Jan-2007 00:15 GMT logoshaker.com (MX)

    SBL47169
    66.232.149.43/32 hostway.com
    30-Jan-2007 00:08 GMT http://www.logoshaker.com

    SBL50617
    81.171.199.211/32 star.net.uk
    29-Jan-2007 22:53 GMT mule spam – spammers’ DNS (time-am.com)

    SBL50616
    65.99.201.160/32 colo4dallas.com
    29-Jan-2007 22:53 GMT mule spam – spammers’ DNS (time-am.com)

    SBL50615
    86.104.216.169/32 euroweb.ro
    29-Jan-2007 22:49 GMT mule spam

    SBL50614
    68.143.205.178/32 nuvox.net
    29-Jan-2007 22:44 GMT Mule spam

    SBL50613
    70.168.83.0/32 cox.net
    29-Jan-2007 22:42 GMT extolfinanceclaimsdeptss@yahoo.co.uk

    SBL50612
    68.142.212.0/32 yahoo.com
    29-Jan-2007 22:42 GMT extolfinanceclaimsdeptss@yahoo.co.uk

    SBL50611
    81.199.58.181/32 gilat.net
    29-Jan-2007 22:40 GMT Advance Fee (Lottery) Fraud

    SBL50439
    151.8.85.1/32 wind.it
    29-Jan-2007 22:39 GMT Yambo Financials
    Yambo botnet webhosts/nameservers (compromised systems)

    SBL45160
    159.149.153.215/32 garr.it
    29-Jan-2007 22:37 GMT Yambo Financials
    Spammer controlled nameserver / compromised host

    SBL50610
    63.138.45.93/32 paetec.com
    29-Jan-2007 22:37 GMT Virus Source

    SBL50609
    88.14.30.0/24 telefonica.es
    29-Jan-2007 22:35 GMT Advance Fee (Lottery) Fraud

    Latest 25 issues resolved and removed from the SBL

    The following spam issues have been terminated/resolved on the dates shown, and have been removed from the SBL.

    Removed 221.130.191.18/32 chinamobile.com Issue Resolved
    30-Jan-2007 13:19 GMT Herbalking HTTP-redirectors and DNS ( “Etty Productions”) SBL50549

    Removed 200.101.43.3/32 brasiltelecom.net.br Issue Resolved
    30-Jan-2007 11:59 GMT multiple phish webpages (LLOYDS TSB BANK, TCF Bank, ..) SBL45033

    Removed 201.10.75.180/32 brasiltelecom.net.br Issue Resolved
    30-Jan-2007 11:58 GMT Spammer webhosting – knowcearoundor.org SBL43634

    Removed 194.30.161.0/24 astral.ro Issue Resolved
    30-Jan-2007 09:48 GMT getfirefox.latest-tools.com SBL50279

    Removed 193.252.22.157/32 francetelecom.com Issue Resolved
    30-Jan-2007 09:15 GMT Advance Fee Fraud – no action by France Telecom SBL50434

    Removed 61.237.227.9/32 crc.net.cn Issue Resolved
    30-Jan-2007 07:41 GMT adpro.com.cn SBL50467

    Removed 216.32.73.234/32 layeredtech.com Issue Resolved
    30-Jan-2007 06:04 GMT Leo Kuvayev / BadCow
    HealthSuite/PharmacyExpress, etc. SBL50618

    Removed 222.122.12.112/32 kornet.net Issue Resolved
    30-Jan-2007 02:48 GMT Source of proxy/botnet hijack spamming (”King Replica”) SBL50548

    Removed 222.122.12.113/32 kornet.net Issue Resolved
    30-Jan-2007 02:48 GMT Source of proxy/botnet hijack spamming (”King Replica”) SBL50547

    Removed 222.122.12.111/32 kornet.net Issue Resolved
    30-Jan-2007 02:47 GMT Source of proxy/botnet hijack spamming (”King Replica”) SBL50546

    Removed 222.122.12.115/32 kornet.net Issue Resolved
    30-Jan-2007 02:47 GMT Source of proxy/botnet hijack spamming (”RX Pharma”) SBL50544

    Removed 203.12.0.152/32 pacific.net.au Issue Resolved
    30-Jan-2007 01:35 GMT Advance Fee Fraud SBL50553

    Removed 209.242.20.66/32 dls.net Issue Resolved
    30-Jan-2007 00:31 GMT Hacked server hijacked to spam (form mailer?) abrhgtyr.com SBL50584

    Removed 218.104.136.164/32 china-netcom.com Issue Resolved
    29-Jan-2007 23:41 GMT Leo Kuvayev / BadCow
    HealthSuite/PharmacyExpress, etc. SBL48820

    Removed 81.27.99.100/32 inetc.net Issue Resolved
    29-Jan-2007 23:38 GMT Wayne Mansfield
    Spam Source SBL50518

    Removed 72.237.24.131/32 level3.net Issue Resolved
    29-Jan-2007 23:10 GMT ns1.bg-arati.com (mule job scammers NS) SBL49412

    Removed 207.199.196.8/32 netins.net Issue Resolved
    29-Jan-2007 22:56 GMT Paypal Phish (source) SBL33662

    Removed 201.11.56.0/24 brasiltelecom.net.br Issue Resolved
    29-Jan-2007 22:14 GMT Proxy spamming – hijacking open proxy ports SBL26992

    Removed 200.103.128.0/24 brasiltelecom.net.br Issue Resolved
    29-Jan-2007 22:12 GMT Proxy spamming- hijacking open proxy ports SBL26984

    Removed 195.161.128.231/32 rtcomm.ru Issue Resolved
    29-Jan-2007 22:12 GMT ns1.aruanresar.com / ns2.bustersolg.com SBL49639

    Removed 200.138.101.0/24 brasiltelecom.net.br Issue Resolved
    29-Jan-2007 22:05 GMT Criminal Proxy spammers – hijacking virus infected PCs SBL41394

    Removed 201.40.214.0/23 brasiltelecom.net.br Issue Resolved
    29-Jan-2007 22:05 GMT Criminal Proxy spammers – hijacking virus infected PCs SBL41392

    Removed 208.66.72.202/32 versaweb.net Issue Resolved
    29-Jan-2007 22:02 GMT Leo Kuvayev / BadCow
    Spammer DNS – ns0.adesuikintandefunhandesun.com SBL50580

    Removed 76.164.203.0/24 versaweb.net Issue Resolved
    29-Jan-2007 22:01 GMT ALLWATERSOURCE.COM NS’s domains spamming SBL49318

    Removed 200.103.145.0/24 brasiltelecom.net.br Issue Resolved
    29-Jan-2007 21:28 GMT Criminal Proxy spammers – hijacking virus infected PCs SBL36864

18. Administrator Says:
    January 30th, 2007 at 11:48 am

    Bill,

    Thanks for the posting. No action was taken on my blog post, but I don’t expect SpamHaus to read my blog. However, I posted to my blog a day after we had filed for resolution with SpamHaus. My admin contacted them on the 27th and the ISP contacted them on the 27th. Action was only taken when I started making noise on Politech and Jeff Williams forwarded the Politech message to several ICANN lists and others that would be interested in this situation.

    I did not post to Politech seeking action (afterall, we put technical workarounds in place to minimize the impact), but to attract awareness to SpamHaus’ actions and attitude. They have established themselves as a trusted member of the community and they need to behave appropriate to the trust placed in them. Their actions on this issue were not up to the standards we should expect of them.

    Also, the operating in stealth mode is a concern. If I didn’t have Politech to provide additional exposure on this issue, how much longer would the record have gone uncorrected.

19. Al Iverson Says:
    January 30th, 2007 at 1:02 pm

    To set the record straight: SPEWS has been dead since August, 2006. I just postd some info about that on my website, if you want to know more. I have nothing to do with SPEWS, I just noted that it’s broken and AWOL and figured it would be useful to give people guidance on how to check that and deal with it.

    As far as “stealth mode” and what’s actually going on with the underlying situation, this post is lacking in facts in the extreme. Lots of assumptions filling data gaps doesn’t necessarily compel the reader to take your side on this. You might want to retitle this “Our ISP is involved in talks with Spamhaus and they’re big meanies because they’re not telling us what’s going on!” as it’s likely a bit closer to the truth.

    Hey, I’m all for calling out blacklists when they do the wrong thing. I used to run at least two lists back in the day myself, and nowadays I work with clients who are sometimes impacted by blaclists. I have some pretty strong opinions on the topic. It would just be nice to see something more substantive and factual here instead of just some random guy blowing a gasket over being on a blacklist for three days and making wild assumptions as to why.

20. Eric Says:
    January 30th, 2007 at 1:12 pm

    What I find even more troubling, is how an unknown set of people, operating in Stealth mode, can have the power to basically cause a DoS attack on any entity on the web, and blame it on “collateral damage for the greater good of the whole”. After a few days, they ‘rectify’ the issue, with nobody being held liable.

    Who has access to the ‘honeypots’? Who has access to the ‘internal database’? Who can certify that only key, trusted people can manipulate the information? Can this be certified?

    Until these questions are answered, (and thus put an end to the Stealth mode of operation), using such an irresponsible service could be ‘business suicide’. Minimal impact to a person running their own email server, but a potential huge loss of revenue to a business…

21. Administrator Says:
    January 30th, 2007 at 5:00 pm

    Al, what assumptions am I making? What additional details do you need?

    Your interpretation of “our ISP is taking to SpamHaus” seems completely wrong to me? I am fully aware of what happened in this situation and I think the details can be easily derived in the posts and comments above.

    Fact: We operate a server on the IP address 63.210.43.55

    Fact: We have operated at that IP address for 5 years.

    Fact: We have never spammed, nor have we been accused of spamming.

    Fact: The IP address 63.210.43.133, operated by Shop2U gets caught spamming. Good catch, looks like they are guilty as charged based on the evidence.

    Fact: Rather than listing the individual IP address, SpamHaus lists the entire class C in the database.

    Fact: This has an impact on my business operations. Mail starts bouncing, customers start complaining, etc. To the casual user, it looks like TRC is part of the spam network.

    Fact: SpamHaus does not fix this situation, even though they were aware of it until a lot of attention is attracted to it.

    Fact: SpamHaus corrects the situation this morning, correctly listing the offending IP instead of the whole subnet

    Fact: SpamHaus uses the subnet listing (even when they know if impacts innocent non-spamming companies) as a tool to coerce you to change you ISP

    Fact: I think this is irresponsible behavior. We should expect and demand more from them.

    Fact: Some folks agree, some folks disagree.

22. bill ries-knight Says:
    January 30th, 2007 at 9:49 pm

    interesting item. as of 18:51 -8 (PST)30 Jan 2007
    I get this response…

    brk@mail:~$ ping spamhaus.org
    ping: unknown host spamhaus.org
    brk@mail:~$

23. Administrator Says:
    January 30th, 2007 at 9:52 pm

    Three minutes later – they are responding to pings from me with zero packet loss.

24. bill ries-knight Says:
    January 30th, 2007 at 11:07 pm

    Interesting that you get pings… I still get
    brk@mail:~$ ping spamhaus.org
    ping: unknown host spamhaus.org
    from both Stockton CA and Boston, MA as of 20:11 -8 PST

25. Larry M. Smith Says:
    February 3rd, 2007 at 3:19 am

    Administrator you state the following incorrectly;

    “Fact: This has an impact on my business operations. Mail starts bouncing, customers start complaining, etc. To the casual user, it looks like TRC is part of the spam network.”

    I’m sorry, but “To the casual user, it looks like…” is an assumption, not a fact.

    “Fact: SpamHaus does not fix this situation, even though they were aware of it until a lot of attention is attracted to it.”

    Unless you have proof that Spamhaus ignored the situation UNTIL “attention [was] attracted to it” this appears to also be an assumption.

    “Fact: SpamHaus uses the subnet listing (even when they know if impacts innocent non-spamming companies) as a tool to coerce you to change you ISP”

    Again, an assumption on your part unless you have some proof that Spamhaus is attempting to coerce you (or anyone) into switching ISPs.

    “Fact: I think this is irresponsible behavior. We should expect and demand more from them.”

    This is an opinion, not a fact.

    I really think you’ve managed to shoot yourself in the foot. What I see here is the twisting of “facts” to fit your perspective, and a bit of hyperbole… At this point I don’t know if you can recover your original argument.

26. Administrator Says:
    February 3rd, 2007 at 7:35 am

    Larry,

    To address your response:

    “To the casual user” is in fact based on actual feedback from customers and associates. I am not going to post private conversations here as evidence. Certainly, it does not apply to all casual users as I can’t speak for them, but I can speak to the ones my staff and I interacted with.

    “SpamHaus does not fix the situation”…It is a fact the situation was not fixed until after the Politech mailing went out. It is a fact requests for resolution were submitted 4 days prior to that with no action. You are correct in your assumption that I can not show that being discussed in Politech led to the removal. SpamHaus refuses to enter the conversation and discuss, which has lead to other individuals accusing them of operating in stealth mode.

    “SpamHaus uses the subnet listing” is based on actual converstations with SpamHaus when this exact same thing happened to us in 2005. I have no evidence I can post to back this up, so a certain leap of faith is required if you do not know me. For those that do know me, which comprise the majority of the regular readers of this blog, there will be no question of my integrity in making a statement like that. You are welcome to question it, but I stand by my statement. When contacted, SpamHaus did in fact say that they didn’t care about harm to our business due to their subnet blocking and that if we didn’t like it we should switch ISPs. I can not say whether that is their approach with other subnet listings, but it was with ours. From their perspective it was our responsibility to change ISPs, but they had no responsibility to provide accurate information about our subnet.

    “I think”…is it not a fact that I have that opinion?

27. Administrator Says:
    February 3rd, 2007 at 7:53 am

    Evidence works both ways. Per the SpamHaus web site:

    “SBL listings are backed up with evidence which has fully satisfied the SBL team that the IP address or IP range is under the control of a spammer, spam operation or a spam support service and represents an unwanted nuisance or threat to mail systems using the SBL.”

    What evidence does SpamHaus have that the subnet is under the control of a spammer? In fact, they had evidence in 2005 that the subnet was NOT in control of a spammer. In addition to our discussions with them, another customer on the same subnet emailed them that “We are an
    example of where a Class C is shared in a hosted enviroment”.

    Where is SpamHaus’ evidence?

28. Robert Franz Says:
    February 5th, 2007 at 3:59 pm

    At least you were on a list actually maintained directly by Spamhaus.
    We’ve had an effective dos on our mail server by virtue of ending up on the njabl list of dynamic ip’s. Our ip is neither dynamic, nor residential.

    It resolves properly and we have the appropriate A record.

    Like you, this is not based on any spam report. Instead, it appears that our ip was added to this list in error. What is really unfortunate is that the njabl list is no longer even actively maintained.

    I’ve emailed the listed contacts for both domains, but have received no response as expected.

    My only solution at this point is to contact the other email admins to have them drop this particular rbl, and later to complain to icann, which I’m sure will also prove to be of no avail.

    There really *is* an accountability problem with SpamHaus.

    I long ago stopped using them as an rbl provider as they caused me more time creating exceptions for their inaccuracies than they saved.

    We shouldn’t have to be constantly picking up the phone to make our email go through.

29. Akbar Nuna Says:
    March 17th, 2007 at 2:08 am

    In a recent real-time test run, the SBL block list (operated by
    spamhaus.org) could only detect 25 unique spams out of 63,000 spam
    emails. Unique spams mean spam emails that could not be detected by a
    combination of other FREELY available block lists such as:

    URIBL : http://www.uribl.com
    SURBL : http://www.surbl.org
    CBL : cbl.abuseat.org
    SPAMCOP : http://www.spamcop.com
    DCC : http://www.rhyolite.com/anti-spam/dcc
    UCEPROTECT L1 : http://www.uceprotect.net
    NJABL-DUL : http://www.njabl.org

    SBL is made up of 2 components: The SBL and the URIBL_SBL which
    detects spamvertized URLs inside the body text of emails. The 25
    unique spams caught by SBL in the test run included both
    components.

    As any enlightened insider involved with anti-spam filtering will tell
    you: spamhaus.org/linford is nothing but a PR machine based on pulling
    the wool over the unsuspecting and gullible system admins’ eyes with
    obscure data and unproven claims. Some of these admins have been
    conned by the spamhaus/linford PR machine to such an extent that they
    cough up a whopping $14,500 every year for the privilege of
    subscribing to a worthless list capable of detecting roughly 400
    unique spams for every 1,000,000 (1 million) spam emails.

    On its front page, spamhaus claims “a spam-free world just a few
    clicks away”… What a joke, mister linford !

30. TrollWatch Says:
    April 7th, 2007 at 6:20 am

    Akbar Nuna (actually a spammer pretending to be an ‘interested user’) Says:
    In a recent real-time test run, the SBL block list (operated by
    spamhaus.org) could only detect………

    Oh great now we have spammers posting here too to disseminate FUD

31. Administrator Says:
    April 8th, 2007 at 10:50 am

    Arne,

    Sorry, your comments got stuck in the spam filter on this blog. Despite the fact they are now very late, I’ve approved them so they are part of the historical record.

    BTW, I do know the different subnet designators. As you can read above, they changed the listing on the 30th.

    Thx

32. Dave Says:
    April 8th, 2008 at 9:07 pm

    If Spamhaus is blocking your IP because a good portion of your subnet is littered with spammers you need to complain to YOUR ISP about the problem. Their policies are allowing the problem to occur.

    If your hosting company or ISP won’t stop the spammers, fire them and go to a company that doesn’t support spammers.

    Any good ISP or Hosting Company will refuse to do business with spammers.

33. Administrator Says:
    April 13th, 2008 at 8:13 am

    It was not littered with with spammers. It was one IP address and it was up for debate with the ISP whether they were deliberately spamming.

    I agree that companies shouldn’t do business with spammers and the reputational and past behavior aspect is always a factor when picking an ISP. In this case, our hosting provider was recommended strongly by a close business associate and we were hosted for years without any problems of this nature. It wasn’t until 1800 Flowers or whomever was spamming moved to the host that we started having problems. Regardless, the community should exert pressure on the actual spammers not diminish the business capacity of a legitimate business doing very time sensitive work to target and ISP or hosting environment.

    If Spamhaus wants to influence our ISP/hosting choice and email from them alerting us to the issue would have gone a lot farther than the extortion tactics they used with significantly impacted our operations.

34. ламинат Says:
    August 24th, 2008 at 10:13 am

    3dGood idea.0z I compleatly disagree with last post . kge
    ламинированный паркет 7i

35. RWHMAX Says:
    September 2nd, 2008 at 5:33 pm

    We have the same issue with spamhaus now for 4 weeks over one domain and one report they showed us for spamming. This has been a client for over 3 years with numerous domains and this is first time they were listed. They insisted it was a mistake and based on the client track record no reports in 3 years I believe you would need to take the clients word for it at face value until somethign else happened.
    Spamhaus would have none of it they blocked the ip and then demanded client name address all information the client be terminated.
    We would give the client information to them as they are entitled to it without a court order.
    Then they demand we termiante the domain in question, we break down and do that and then 2 days after we do they now block a 2/24 of the range and not just one ip, now we have to ip 50 servers.
    THye then give us a persons name and ask for more information on the client and we have never had this client ever.
    We finally look him on google and by all means he is spammer and the domains we see him using are hosted with rack space.
    They are abusing their power to the hilt here and no one can do anything about it. not the dc, not isps, not anyone.

    You try to call them and they state they do not talk about these types of issues on the phone and use their ticket system when we do we get the same person, Angelina, and she is unfair and unreasonable. There is not way to even talk to anyone over her or another person period to discuss the issue.

    Think about this way spamhaus could block 2 million ip blocks for no reason stop all email for days and no one could do anything about it.
    Now that is a scary thought, is it not?????

    Joey

36. RWHMAX Says:
    September 2nd, 2008 at 5:37 pm

    Revision

    We have the same issue with spamhaus now for 4 weeks over one domain and one report they showed us for spamming. This has been a client for over 3 years with numerous domains and this is first time they were listed. They insisted it was a mistake and based on the client track record no reports in 3 years I believe you would need to take the clients word for it at face value until something else happened.
    Spamhaus would have none of it they blocked the ip and then demanded client name and address all information and to have the client terminated.
    We would not give the client information to them as they are not entitled to it without a court order.
    Then they demand we termiante the domain in question, we break down and do that and then 2 days after we do they now block a 0/24 of the range and not just one ip, now we have to ip 50 servers.
    They then give us a persons name and ask for more information on the client and we have never had this client ever.
    We finally look him up on google and by all means he is spammer and the domains we see him using are hosted with rack space.
    They are abusing their power to the hilt here and no one can do anything about it. not the dc, not isps, not anyone.

    You try to call them and they state they do not talk about these types of issues on the phone and use their ticket system when we do we get the same person, Angelina, and she is unfair and unreasonable. There is not way to even talk to anyone over her or another person period to discuss the issue.

    Think about it this way spamhaus could block 2 million ip blocks for no reason stop all email for days and no one could do anything about it.
    Now that is a scary thought, is it not?????

    Joey

37. Bob Says:
    October 8th, 2008 at 10:58 am

    To suggest that Spamhaus do not try to coerce you into moving providers is incorrent. The famous Angelina just told me that is what I should do. We currently have seven innocent servers – many hundreds of companies, two local schools, a monastery and at least 100 companies – blocked because of two incidents from other servers in the same netblock over the last few months.

    When I attempted a reasoned reply to Angelina, the response was “579 message content is not acceptable here”, so it looks like they will not even accept email from me – although our email is not on any affected server.

    As everyone knows, there are adequate legal responses to UK spammers. The spam problem is primarily overseas spammers, and botnets. Irrespective of some of the pro-spamhaus commentators here, I also think they abuse their powers vastly, and they are ripe for legal action against them. I wish I could afford to take that step myself because I do not think they should be advising people to switch providers as a solution to a problem which they have caused.

38. Bob Says:
    October 10th, 2008 at 6:37 am

    Just an addendum to the above! Shortly after my servers fell foul of Spamhaus, I got an email from DNSStuff, inviting me to subscribe to a rather expensive realtime RBL monitoring tool. I thought the timing was odd, but would be coincidental.

    However, speaking with a colleague who was affected by the same issue, he happened to mention the same thing, server gets blacklisted, and shortly afterwards he gets the same invitation to subscribe to the RBL warning tool.

    Maybe I am a cynic but that is now more than a coincidence. My guess is that Spamhaus blocks your server, then when you contact them they sell your targeted email address to DNSStuff.

39. Ziv Says:
    October 23rd, 2008 at 4:50 am

    I want just to say that spamhaus are acting like fascists, but they don’t do the real job.
    I worked at an ISP and many times entire blocks of IPs were blocked because a user sent spam from them.
    That’s fine, I also hate spammers and I think we all should be hard punishing them, but the problem is not just punishing the IP “provider” or “user” but the mail server too. This is done with a lot of regular SMTP servers, but I never heard that the whole yahoo or hotmail servers were blocked, neither their IP ranges, why? Nowadays, most of the spam is coming out from the free webmail accounts, why don’t they block them? Why they block only the ISP ranges? If the user didn’t have the option of using a free webmail account, this spam wouldn’t even exist,.
    There are a lot of antispam services out there for regular SMTP servers, but none of the solutions avoid a webmail spam. The only ones that have the possibility to do something about it are the webmail providers, and they don’t do squat to prevent outgoing spam, it’s not enough that you close an account after receiving a report or complaint, they should implement the same antispam solution they already have, to scan outgoing mails too!

    So spamhaus, you can keep punishing spammers, but punish them all! I dare you to block the whole yahoo mail system, let’s see you, big brother!

40. Scott Says:
    November 3rd, 2008 at 1:03 pm

    While this article makes a VERY good point, you are making a mistake by breaking it down into simplistic analogies. Yes, it would be extremely irresponsible for someone to list a whole neighborhood as sex offenders. However, the problem lays in that Spamhaus doesn’t know what “house” the spammer will spam from next. The spammer can change his IP quite easily if the subnet is dynamic, Spamhaus doesn’t know who has a static IP and who doesn’t, it’s actually quite rare for a business to sit on IP block with others who spam, you only hear about it due to the volume of networks, and volume of spammers. Spamhaus has done nothing wrong, and they provide you with a way of removing yourself in a timely manner.

    Now if you actually read that blob, good for you. It’s the most efficient way to deal with the problem, Spamhaus has it’s hand’s tied. If they didn’t block the entire subnet, spam would run wild.

41. Administrator Says:
    November 7th, 2008 at 6:02 am

    Spamhaus did not provide us with a way of removing ourselves in a timely manner. It was only when I got external pressure on them that they corrected the issue.

    Also, they provided no evidence that the spammer was using multiple IP addresses in that subnet. In discussions with the ISP, the “spamming” box was isolated to a single host and they did not try to obfuscate themselves as they considered themselves to be in a legitimate direct mailing business providing services for 1800flowers, etc. Obviously, they did something to get on the SpamHaus list, but nothing was done to justify the entire block in the Spamhaus list, especially when that Class C was servicing several different customers. We only have a legitimate use for a handful of IP addresses and I am not going to irresponsible utilize a whole Class C just to avoid problems like this.

    As I’ve said in the past, SpamHaus needs to demonstrate responsible constraint in blocking entire subnets. They also need to be incredibly responsive when they catch innocent businesses in their net. The appropriate response would have been to whitelist our IP as soon as we reached out to them to enable our business to resume. An inappropriate and completely irresponsible response is to continue to block an innocent IP address as a means of coercion to get us to switch ISPs.

    I stand by my assessment that they are irresponsible, arrogant and abuse the power they’ve been entrusted with.

42. ProAdmin Says:
    November 24th, 2008 at 3:29 am

    I think there needs to be a blacklist that blacklists all the blacklists, one that is controlled by us and not the anti-spammers. Having anti-spammers in control of blacklists is a bad thing. If emailers were in control of the blacklists there would never be any false positives, nothing would ever get blocked. Think about it: If the blacklists stopped stopping their spam spammers would soon regulate themselves to send less spam, maybe stop sending spam altogether.

    Blacklisting spammers is irresponsible because (A) how do you know they’re spammers? and (B) even spammers need to work to make a living. Besides when I tried the SpamHaus blacklist on my PC it didn’t stop anything at all in over a week so it obviously doesn’t work.

    Also, a blacklist as big as Spamhaus should not be in the hands of one group. It should be run by a professional group we all belong to such as the Direct Marketing Association. Or it should be run by the government that way we can trust it’s run responsibly.

43. fastpeas.biz Says:
    December 3rd, 2008 at 3:39 am

    fastpeas.biz
    Our Exclusive Service:

    * SOCKS 4/5 – PEAS – PROXIES updated every 10 minutes.
    * BOTMAILER loads (unpacked version).

    for prices & “one hour FREE” test!!

    Contact :
    Skype: fastpeas
    ICQ : 417607757

44. Mail Admin Says:
    June 20th, 2009 at 10:38 am

    I realise what you posted here is well over 2 years old by the time I posted here myself to give you a few of my own opinions after reading your blog post and all the replies that came later.

    Your opinions on Spamhaus are generally off-base due to your own perspective to the situation. I took personal interest reading it along with the responses. I have worked with Spamhaus off and on since 2003, so I believe I have a somewhat decent idea how the ogranisation operates.

    Basically, Spamhaus publishes info and services are used on a regular basis by mail administrators and ISPs’ abuse departments who contact Spamhaus via email to get listings removed.

    Often when some company or person finds out that their IP(s) are listed on Spamhaus SBL blocklist for the first time, or just a few times, the person does not understand what is going on, so their best best is to work with their ISPs abuse department in getting their IP deslisted. Trying to do it yourself without full knowledge only works against you and may delay in getting it delist. Spamhaus
    doesn’t want the affected parties to go to other ISPs, Spamhaus simply wants the spammer that caused the listing to be shutdown or terminated or unplugged. You kept saying that Spamhaus wanted you to go to another ISP, that is simply not the case.

    Spamhaus is not perfect and they have some issues with keeping old information on their website. I also know that some large spamming sources do not get listed in a timely manner, but given how difficult it is to track spammers, I think Spamhaus overall does a better job than most.

    With this in mind, blacklist services all vary tremendously. Some are plain awful to some being overall reasonable such as Spamhaus. There are plenty of DNSBLs (blacklist services) I do not recommend either because they block entire ISPs, make trollish comments in replies or simply do not reply because they are unresponsive and unprofessional: APEWS / SPEWS ASPEWS and its variants, SORBS, and Five Ten. Many blacklists come and go. I don’t think there is an overall fair approach to all this, but Spamhaus in generally stays professional in comparison to
    some of these other services.

    I would write more, but I think that this topic has gotten stale and I am not sure if it is being checked since I see a comment spammer entry above who is advertising his botnet.

    My final assertion is I would think someone of your calibre of work (terrorism research) would have researched this topic in more detail before making your initial post. Good luck to you and I like your blog, you have some good information posted.

Leave a Comment