Spamhaus flags any IP announced by our ASN as a criminal network

Hello guy,

We recently discovered that any IP address announced by our ASN is blacklisted by Spamhaus, even if we only announced it but not use it.

I would like to ask if this is manually set by Spamhaus or is the system misjudgment? Has anyone encountered the same situation as us?

Best,

Given the list of things on these two prefixes alone, I would venture to guess it’s not a misjudgement.

https://check.spamhaus.org/listed/?searchterm=5.178.2.1

https://check.spamhaus.org/listed/?searchterm=80.66.64.1

However, for those prefixes

https://www.spamhaus.org/sbl/listings/azeronline.net

We even haven’t started to use, we just announced that… They marked it’s a criminal network

afaik, spamhaus starts to mark a whole AS as criminal, if there is to much abuse.
It seems you’ve reached the point that they ignore specific prefixes and set every prefix you are advertising as criminal.

We even haven't started to use, we just announced that... They marked it's a criminal network

They do that once they decide you've been broadly inattentive to abuse
reports. It stops folks from shuffling IP addresses to evade
filtering.

I would like to ask if this is manually set by Spamhaus or is the system misjudgment? Has anyone encountered the same situation as us?

As I understand it, most things at Spamhaus are manual determinations.
You click on "show details" and they give you a list of timestamped
report IDs, each with a 1-line description of the reviewer's
assessment of the fault.

Have you received complaints from Spamhaus in the past? If so, have you acted on them in a timely manner?

Based on my past experiences, Spamhaus is rather gracious at first, but if you ignore them, they will start blocking you en masse. About 10 years ago, I worked for a datacenter/NSP and personally handled all Spamhaus complaints, and as soon as I left to go to another company (and the company stopped taking care of the complaints), Spamhaus blocked every single one of their IPs until they committed to actually handling the complaints again.

V/r
Tim

It seems you've reached the point that they ignore specific prefixes and
set every prefix you are advertising as criminal.

Our sponsor (LIR) 62yun.com, they have 2 prefixes for VPS/Dedicated Server
using our ASN.
62yun did receive a lot of complaints, but as far as I know they have been
handling them (their head said their team is not good at English and so
they did not reply emails)
For me, I cannot reply to all emails for them, since I don't have that much
time. I also need to work for my company.

As I understand it, most things at Spamhaus are manual determinations.
You click on "show details" and they give you a list of timestamped
report IDs, each with a 1-line description of the reviewer's
assessment of the fault.

I checked https://check.spamhaus.org/listed/?searchterm=46.23.100.0 and the
reason they gave us was simple, saying our not willing to handle abuse. but
we stressed with them many times that we are 2 different companies. We also
do not have the authority to handle these complaints, but we will alert
62yun.com.

But they still intend to blacklist all the prefixes under our ORG ID, even
if the user is not us.

Based on my past experiences, Spamhaus is rather gracious at first, but if

you ignore them, they will start blocking you en masse. About 10 years ago,
I worked for a datacenter/NSP and personally handled all Spamhaus
complaints, and as soon as I left to go to another company (and the company
stopped taking care of the complaints), Spamhaus blocked every single one
of their IPs until they committed to actually handling the complaints again.

This has little impact on 62yun.com's VPS business, and my feeling is that
if someone uses their VPS to build a mail server those emails that are sent
from this server may be rejected.

However, we are recently building a CDN for one of our partners (a social
media company), and we need to use a provider like vultr, which is not
really an IP Transit provider, to announce prefixes, however, they reject
prefixes on the Spamhaus list.

I don't think any ISP would reject an IP that is on the Spamhaus list.

*Brandon Zhi*
HUIZE LTD

www.huize.asia <https://huize.asia/&gt;| www.ixp.su | Twitter

This e-mail and any attachments or any reproduction of this e-mail in
whatever manner are confidential and for the use of the addressee(s) only.
HUIZE LTD can’t take any liability and guarantee of the text of the email
message and virus.

Ignoring abuse complaints doesn’t shield one from the responsibility of acting upon those complaints. If someone under your control isn’t doing their job, you need to cut them off.

you, clearly, have been living under several rocks for a very long time.

Yes, for those prefixes are used to hosting service have been listed for a long time. However, for those new prefixes that we rented… We just announced it… even though it’s unreachable… They just listed to this list.

If someone tries to break into my house over and over, I won’t act any different if they show up wearing different clothes.

Well, those prefixes are not for their VPS hosting service (which cause a lot of complaint). Just like there are many IP addresses under the telecommunication company, the entire ASN cannot be “blocked” just because there is a complaint on one IP address

Hi Brandon

“ the entire ASN cannot be “blocked” just because there is a complaint on one IP address”

Why not? They are being advertised by the same ASN so at least nominally they are under common administrative control. Therefore if that administrative control is not taking responsibility for complaints they may be treated as a bad actor on the internet.

Also people chose to block / rate limit / etc things on their networks for whatever reason makes sense to them.

I think if you have a customer or partner who doesn’t look after scams or worse coming from their network you may need to consider disconnecting them if you are not willing to be marked as the same bad actor for at least passively enabling them.

This could still happen if they had their own ASN with their own netblocks because if you are still providing transit to them and take no action you may again be flagged as a bad actor.

We all have a role to play keeping our networks clean and positive members of the internet community.

Might be time to have your customer / partner clean up their actions in response to complaints or ensure that you don’t need a good reputation with spamhaus to operate.

Regards
Alexander

Well, those prefixes are not for their VPS hosting service (which cause a lot of complaint). Just like there are many IP addresses under the telecommunication company, the entire ASN cannot be “blocked” just because there is a complaint on one IP address

I can drop all prefixes from any ASN at any time and for any reason. Maybe I don’t like the color scheme of their logo, or how the CEO spells their first name. That may or may not be a smart business decision for me, but I could do it.

For most of the internet , it DOES make good business sense to restrict access to ASNs that are known to harbor bad actors , either directly, or by providing connectivity. It sounds like your organization has made a business choice that the revenue from such customers is more important than shutting them off, and learning about the consequences of that decision.

It sounds like an unfortunate situation for you who may just trying to do your job, but that’s the reality it seems you are facing right now.

And yet they have. And it was due to complaints with more than one IP addresses.

Bottom line: your service provider is a bad network citizen with a
reputation deep in the toilet. Find another service provider. And this
time, do the research before you spend the money.

Regards,
Bill Herrin

Brandon Zhi <Brandon@huize.asia> writes:

Well, those prefixes are not for their VPS hosting service (which cause a
lot of complaint). Just like there are many IP addresses under the
telecommunication company, the entire ASN cannot be "blocked" just because
there is a complaint on one IP address

April came early this year.

Bjørn

The solution to your problem is to terminate the customer causing the abuse, in this case 62yun.com. Once you do that I'm sure Spamhaus will stop listing all your IPs.

Aaron

Why do two different companies with what should be independent networks share an AS number?

Several Huize ASNs, e.g. AS47158 and AS141011, were revoked due to RIR policy violations, which include prohibited sharing of ASNs with third parties, IP hijacking, and malicious path prepending.

Given this history, it is not surprising that Spamhaus would blacklist IP addresses associated with their ASN. In my opinion, such action is well-justified.

Best regards,
August Yang

well that explains a lot.

For their own sake I hope they shape up - but I doubt they will.