Someone at Spamhaus please contact me concerning your second
consecutive preemptive strike against our IP space.
Fun Fact: No one at Spamhaus has ever successfully sent us an abuse
complaint. Also, some rocket scientist decided that their
sbl-removals@ box should also filter e-mail so blocked parties can't
even get in touch. As such, it will be necessary to reply to jeffrey.lyon@gmail.com vs. @blacklotus.net .
You claim to monitor sbl-removals@ but it seems i've been ignored for
several hours.
I'm not Spamhaus. I don't necessarily agree with their listing
policies, but reading your SBL record, http://www.spamhaus.org/sbl/sbl.lasso?query=SBL100691, it appears that
someone from your ISP has been in contact with Spamhaus, and were less
than thorough in removing the spam gang you guys signed on (PTR
records?), or were less than honest about removing them in the first
place. For the rest of my life I will mentally equate "DDoS protection
solutions" with "foonet". It hasn't failed me since 2001, and doesn't
seem to fail me today.
Spamhaus does monitor sbl-removals@ but they like to do research before
they just remove listings. You'll have less luck getting yourself off
the listings if they feel you're just there to yell at them for being
stupid and don't care enough to take their listing seriously. They were
willing to send us automated notifications about new listings matching
our IP space as they are added, and you can request this via the removal
address when you get a response. They do not file abuse complaints.
If you care to explain why you think they made a mistake in a reasonable
fashion, it's pretty likely you'll get removed and they'll probably be
inclined to give you a bit of extra trust in the future.
We started out very defensive against Spamhaus early on, sending angry,
demanding messages to sbl-removals@. We found things went much better
when we started showing that we considered the information in the
listing and explained what we did to investigate and/or why we felt the
listing was not warranted (either because we cleaned up the issue or
because we felt it was a mistake).
There are many RBLs which demand we wait weeks for the possibility of an
unfriendly and unhelpful response. Spamhaus is by far the easiest to
get along with and most responsive for our network.
That's fine, but the listings don't even make sense. There is no
evidence in the listing and i'm still trying to figure out a) why they
think that these new listings have anything to do with the ones we
already cleaned and b) which customers actually need to be removed and
for specifically what reasons. Their entire mentality is "the site is
pharmacy which means its part of a criminal spammer gang," regardless
of whether or not that is true.
My initial reply to sbl-removals@ was rather civil, my second reply
not so much. At this point I just need them to check their e-mail and
answer a few questions. I need intelligence to work with if they
expect me to cooperate with them. I have no problem removing customers
that need to be removed but I need to have all of the details to act
on the request.
Our listing is misleading. They show me specifically what needs to be
done and why and we will act on it. The problem is that they expect me
to dig through our customer database and correlate various customers
to ROKSO listings. I don't have the resources for this. If they show
me where the problem exists I will fix it but so far they do nothing
but preemptively block our entire /21 in an attempt to scare us into
mass removal of customers.
Someone there needs to reply to my questions so I can act on their
request. Also, they need to get in touch with ME DIRECTLY before they
ban an entire ISP on multiple occasions. I liken their strategy to
setting ants on fire and watching them scurry. I've showed a
willingness to work with them and correct problems but they think
their only option is to list the entire company each time they need
something done.
Is it really? They list the domains in question and the IPs they resolve
to.
You should not need such resources, if you have a system that ties the
accountability of your users to either a domain name OR an IP address.
(Or at the very least, narrows it down to the point where you have
little to no guesswork remaining.)
I agree that this can be highly frustrating, but it sounds more like a
hosting company unprepared for the inevitable 'oh god the sales guys
have sold servers to a ROKSO spammer!'.
I just blocked a bunch of customer space without any form of due
process or evidence from you:
208.64.123.176/30
208.64.127.64/27
This should resolve SBL101835, SBL101662, and SBL100691.
Let me know if any of our customers have any outstanding parking
tickets, because I would like to null route them as well.
If at any point you would like to actually explain why we were
compelled to do this please feel free to contact us at any time that
is most convenient to you. Don't worry about our customers, they'll be
OK. They understand that that you need to arbitrarily block their
e-mail for the common good.
They list domains. For one, these listings are recent and I had no
idea they existed until now. One of them was actually received by our
abuse@ (the first one ever!) on the 14th and the complaint was already
sent to the customer for action. Meanwhile back at Camp Spamhaus, they
can't wait three days for us to sort this out despite the sites having
been online for months.
Second, I still have no idea why they're being listed. I don't see any
spam records and I guarantee you that none of the spam came from our
network. Oh wait, that's right, Spamhaus' policy is to punish us and
thousands of customers for hosting people who are somehow projected to
spam at some future point in time based on a top secret formula for
which only the holiest of spam crusaders are allowed to bear witness.
No actual abuse is required, just the projected possibility of abuse.
Highly frustrating is one way of putting it. I prefer the terms
"tortuous" and "libelous to go along side "asinine" and "ridiculous."
I reached out to them about 5 hours ago, still no response but
certainly tens of thousands of mailings rejected. I can only imagine
that this would entail a substantial amount of business our
non-possible-spammers are losing at the moment.
That's fine, but the listings don't even make sense. There is no
evidence in the listing and i'm still trying to figure out a) why they
think that these new listings have anything to do with the ones we
already cleaned and b) which customers actually need to be removed and
for specifically what reasons. Their entire mentality is "the site is
pharmacy which means its part of a criminal spammer gang," regardless
of whether or not that is true.
Please stop pretending that you're not hosting e-trash. 208.64.122.114
is still hosting an active SEO poisoning site (myspace-codes.com). I
think, frankly, it would make your life a lot simpler if you just
accepted the fact that BlackLotus sells to e-trash, just like the rest
of the "ddos-protected hosting solutions" companies do.
My initial reply to sbl-removals@ was rather civil, my second reply
not so much. At this point I just need them to check their e-mail and
answer a few questions. I need intelligence to work with if they
expect me to cooperate with them. I have no problem removing customers
that need to be removed but I need to have all of the details to act
on the request.
You have all the intelligence you need. You host e-trash script
kiddies and SEO poisoners. Just go get some wirecutters and snip the
wires coming out of that busted up 6509 you used to tout on WHT and the
problem will be solved.
I have a slogan by the way, "Blacklotus AKA The IRC Company - making
EFnet more trashy since FooNet got raided".
I'm not certain that any Black Lotus IP's are even connected to EFnet.
Secondly, we're more than happy to act on any data presented to us if
they actually care to present it to us before listing the entire ISP.
I'm not sure what non-spam related "e-trash" has to do this any of this.
That's fine, but the listings don't even make sense. There is no
evidence in the listing and i'm still trying to figure out a) why they
think that these new listings have anything to do with the ones we
already cleaned and b) which customers actually need to be removed and
for specifically what reasons. Their entire mentality is "the site is
pharmacy which means its part of a criminal spammer gang," regardless
of whether or not that is true.
Please stop pretending that you're not hosting e-trash. 208.64.122.114
is still hosting an active SEO poisoning site (myspace-codes.com). I
think, frankly, it would make your life a lot simpler if you just
accepted the fact that BlackLotus sells to e-trash, just like the rest
of the "ddos-protected hosting solutions" companies do.
I'm not certain that any Black Lotus IP's are even connected to EFnet.
Maybe not presently, but your company has a history in the IRC
community. And it's not a history I would define as "good."
A history of selling "protection" which was in reality not a technical
measure (infact, we know this because back then your employees said
outright that DDoS mitigation was being done after the point, so no
fancy IntruGuard-like stuff going on there.) but instead an
intimidation measure. As in, "DDoS wars", "mutually-assured DoS", so
on. Kinda like FooNet/Atrivo/etc. Actually, *exactly* like
FooNet/Atrivo/etc.
Secondly, we're more than happy to act on any data presented to us if
they actually care to present it to us before listing the entire ISP.
When you keep in mind that many people involved in the anti-abuse
community originate from the IRC community, then it should be no
surprise that they would not wish to waste their time dealing with
people who were part of the "protection racket" of olden days.
I'm not sure what non-spam related "e-trash" has to do this any of
this.
The fact that you willingly pollute the internet as a whole with SEO
"optimization" pages says a lot about your company. In my opinion SEO
"optimization" pages like myspace-codes.com *are* spam. That is the
same opinion held by many others.
Do not expect any pity from the rest of us who bust our proverbial
asses to keep our netspace clean.
1) The sites were already null routed. The problem is with Spamhaus'
inability to contact me prior to impacting other legitimate customers.
2) The presumed cleanness of a customer really isn't any of mine or
your business, as long as they're not spamming or engaged in any other
type of abuse they're free to host web content like anyone else.
Our company is primarily focused on the filtering of DDoS traffic. A
significant amount of our IP space is routed elsewhere via proxy or
GRE. If a customer pollutes, they pollute and thats their own
business. If they abuse, we take action. If Spamhaus contacts us
before ruining the business of others, we still take action (believe
it or not).
We don't actively decide to host any of this content. It sprouts up
and really is not a concern of ours until it becomes an actual
problem. Comparing us to FOONET and especially Atrivo is ignorant and
short sighted. Perhaps you would understand if you were targeted by
attacks.
I connected to 208.64.120.186 on TCP port 80 and finger-boned an HTTP
request for http://canadian-rx-store.org/ and the server responded as
I would expect a server configured with that name to respond.
Before you cast too many stones, I think you have some work to do.
Regards,
Bill Herrin
P.S. Once this is all done and over with, may I respectfully suggest
you carefully review your customer acquisition process? The object
lessons are likely to get more expensive. Principals of a Virginia
company are not well shielded against liability for facilitating
unlawful prescription drug scams. Civil or criminal.
Our company is primarily focused on the filtering of DDoS traffic. A
significant amount of our IP space is routed elsewhere via proxy or
GRE. If a customer pollutes, they pollute and thats their own
business. If they abuse, we take action. If Spamhaus contacts us
before ruining the business of others, we still take action (believe
it or not).
Maybe that is the case now. It was not the case 8 years ago with IRCCo.
We don't actively decide to host any of this content. It sprouts up
and really is not a concern of ours until it becomes an actual
problem. Comparing us to FOONET and especially Atrivo is ignorant and
short sighted. Perhaps you would understand if you were targeted by
attacks.
I used to operate DroneBL. DroneBL's DNSBL servers are basically under
permanent DDoS attack, which is why Cisco/IronPort and other providers
have to sponsor them now.
While I understand the current aspect of your operation, you must
understand that IRCCo did not make you many friends in the anti-abuse
community. Sorry, that's just how it is. We look at BL/IRCCo and it
does not make us feel warm and fuzzy.
Being proactive by say, checking out your customers before lighting
them up would go a long way toward improving the fuzziness perception in
the anti-abuse community. But you don't do that. It's clear you don't
do that.
I just have to chime in here besides Raymond and others data, I can attest that blacklotus abuse contact is worthless.
I have tried to report abuse to blacklotus many times. My last attempt was back in September when I tried for a week to report Canadian Pharmacy pill spam on a blacklotus IP. No response from abuse (not really expected) but no takedown either after a week of reporting over and over again.
We don't bother to report to you any more because your abuse email appears to us that its /dev/null'ed
