Working with Spamhaus

Mailman List Mirror (Read Only)
1

Hello All,

SpamHaus has done us the favor of blacklisting all of our prefixes due to
the issues with handful of IPs from customers we have removed from our
network.

They are now being unresponsive on helping us get these listings removed
and we have a lot of legitimate customers who are no longer able to send
email.

If anyone has any advice on how to deal with these people. Please let me
know here or off list.

Thanks!

2

When I started work for a Web hosting company as a mail admin, the company had a number or entries in the various blocking lists, including the infamous SPEWS list. Job one was finding out just which customers were causing the listings -- make a list, and check it against terminated accounts. A surprising number of those "dead" accounts were still active in one way or another, so I cleaned them up. (Web hosting clients with removed content, but still-active mail accounts.) I then notified each block list know about the terminated accounts, and the associated IP address.

Once I finished that task, I started in on the rest of the accounts. One account I terminated because they were selling spammer DNA -- I personally pulled the plugs on that co-located server. Quite a number of Web sites had exploitable mail-out scripts, so I cleaned them up so outsiders couldn't use those sign-up forms to send arbitrary mail. As I worked through the list, I let the block-list owners know what I was doing. I did *not* request de-listing, by the way. My goal in this phase was to show that I was really doing something. As a consequence, several of the BL operators removed the /21 and /19 level blocks.

Oh, did I mention that I got my upstreams to do proper SWIP of the address space, and published an abuse@ address for the address ranges?

Some customers were doing bulk mail-outs. I worked with those customers to clean up their mailing lists, to throttle their mails to avoid tripping spam alarms, and to properly set up their programs to react properly to DNR and spam-reject. Those that didn't like my clean-up campaign were referred to management for further action.

As part of my work, I became active on NANAE, taking advice from many people as to how to clean up my space.

One key factor was that I answered every single abuse mail that came in. Every. single. one. The responses were short, describing the corrective action I took. Most of the time, it was yet another open mail-out script that needed to be fixed. But sometimes I got to write back "the abuser has been terminiated."

It took about nine months to clean up all the block-list entries. I was also diligent when new entries would pop up -- get the info as to who, and take care of the problem.

Management saw the fruit of my labor in the number and quality of new accounts. Big positive.

Notice the parallel between mail operations and network operations. Things go MUCH better when we work with each other. All the DNSBL operators want is to know that spam reports will be handled.

3

If you implement SPF / DKIM / DMARC / ADSP, force your customers to
relay their mail through something you control, and show them you are
serious about stopping the spam they may work with you then. Otherwise,
they just assume you're a spam house.

4

If you implement SPF / DKIM / DMARC / ADSP, force your customers to relay

Before we went SaaS with email we had lots of spam problems and we also went this route .. you must relay through us and authenticate .. postfix along with the dkim and policyd milters (and SPF in DNS). The policyd one would limit you to X messages in Y hours (per SASL credential), and we would override it for people that had a specific need. That was very effective at limiting the spam damage. I'm sure your needs are different as a commercial provider but we found that hardly anyone sends more than 100 messages a day, and 100 spammy messages isn't enough to get you in trouble, as long as it stops there.

We have a /16 where most of our stuff lives and have moved things around a bit .. Spamhaus was pretty easy to deal with, as were the other major players (MS, Google, AOL, Yahoo) by just filling out their postmaster forms. Basically you just need to explain how you are fixing the problem and they usually answer you in less than 24hrs.

The only IP addresses we have that I'd consider permanently tainted are the ones we've run TOR exit nodes on. We haven't run TOR in a couple years now but those IPs are still blacklisted so many places they are essentially unusable in any reliable capacity -- something to keep in mind while crafting your TOS.

-Michael Holstein
-Cleveland State University

5

Le sigh ..

Hotmail/Outlook/Live
https://support.microsoft.com/en-us/getsupport?oaspworkflow=start_1.0.0.0&wfname=capsub&productkey=edfsmsbl3&locale=en-us

Google/Gmail
https://support.google.com/mail/contact/bulk_send_new?rd=1

AOL
https://postmaster.aol.com/trouble-ticket

Yahoo
https://io.help.yahoo.com/contact/index?page=contact&locale=en_US&y=PROD_MAIL_ML#

As for SORBS, I'm not aware of anyone that uses it these days because of the extortion thing and the rather ..ahem .. "eccentric" nature of it's owner.

Regards,

Michael Holstein
Cleveland State University

6

As for SORBS, I'm not aware of anyone that uses it these days

many folk do

randy

7

Many of them your competitors? :slight_smile: (Sorry, couldn't resist :slight_smile:

8

Hi,

As for SORBS, I'm not aware of anyone that uses it these days because of

the extortion thing and the rather ..ahem .. "eccentric" nature of it's
owner.

and

I see you've never had the pleasure of dealing with SORBS. All it takes is
*ONE* message - EVER - to be instantly, and forever, listed in their
spamtraps list. Getting on the list is automatic and immediate. There are
no thresholds or limits; and there's expiration. The only way off that
list is to PAY them to remove you. (which makes it illegal in most places.
The corporate sharks flipped when I pointed them to that "policy".)

I work for Proofpoint -- we acquired SORBS back in 2011. There is
obviously some incorrect / very outdated information / viewpoints here, so
I thought it would make sense to clear the air a bit:

Listings can happen a number of different ways, however the vast majority
of these can be resolved, either through automatic delisting, or manual
delisting (via SORBS support ticket). Additionally, there is NO CHARGE to
be delisted.

I'm happy to help mitigate any issues -- feel free to hit me up off list --
jangerbauer@proofpoint.com

Thanks

--Jaren

9

Hint: The Internet has a LONG memory.

The liberal and numerous dropping of "for free" makes me laugh. "You" knew the tainted nature of what you were buying. Nobody, to this day, places much trust at all in SORBS. I dare say there isn't anyone on NANOG (certainly any "long hairs") that haven't had at least one interaction with SORBS, most likely due to spamtraps; that number drops to almost zero when you put the word "good" in that sentence. Maybe it's better now under new management; we (the royal we) moved on long ago.

10

It's what they call a free country

Those that don't use it don't use it, and those who do are free to do so

--srs

11

Hi Jaren,

The big problem I remember with SORBS from my ISP days was that if
they tested an open relay at IP address A and the return message came
from IP address B, they listed IP address B. This put me in an
impossible situation as an ISP providing an SMTP smarthost to my
authenticated customers. If just one of them screwed up their mail
programming, not trying to spam mind you, just screwed up their
configuration, my entire relay was hit with a block.

Practically speaking, to keep my mail server off SORBS I was required
to employ SORBS on my relay to block any customers whose IP appear as
an input into SORBS. If I wanted to stay off their list then I MUST
use them. Bad ethics there IMO.

Is itstill SORBS practice to list both input and output IP addresses
of an open relay, regardless of detected spam activity and without any
attempt to notify the mail op of the problem?

Regards,
Bill Herrin

12

Is that to be encouraged?

:slight_smile:

13

Hi,

As for SORBS, I'm not aware of anyone that uses it these days because of

the extortion thing and the rather ..ahem .. "eccentric" nature of it's
owner.

and

I see you've never had the pleasure of dealing with SORBS. All it takes is
*ONE* message - EVER - to be instantly, and forever, listed in their
spamtraps list. Getting on the list is automatic and immediate. There are
no thresholds or limits; and there's expiration. The only way off that
list is to PAY them to remove you. (which makes it illegal in most places.
The corporate sharks flipped when I pointed them to that "policy".)

I work for Proofpoint -- we acquired SORBS back in 2011. There is
obviously some incorrect / very outdated information / viewpoints here, so
I thought it would make sense to clear the air a bit:

Listings can happen a number of different ways, however the vast majority
of these can be resolved, either through automatic delisting, or manual
delisting (via SORBS support ticket). Additionally, there is NO CHARGE to
be delisted.

I'm happy to help mitigate any issues -- feel free to hit me up off list --
jangerbauer@proofpoint.com

Thanks

--Jaren

There is a very good reason as to why the .."
some incorrect / very outdated information / viewpoints here..<snip>

Matt/Michelle Sullivan did a lot of good things but a lot more *bad* in the name of SORBS - ergo the SORBS-Anathema.
...I have; just like many others on this list, have had to deal with this entity that had in essence turned into a joke.
./Randy

./Randy

14

Hi,

As for SORBS, I'm not aware of anyone that uses it these days because of

the extortion thing and the rather ..ahem .. "eccentric" nature of it's
owner.

and

I see you've never had the pleasure of dealing with SORBS. All it takes is
*ONE* message - EVER - to be instantly, and forever, listed in their
spamtraps list. Getting on the list is automatic and immediate. There are
no thresholds or limits; and there's expiration. The only way off that
list is to PAY them to remove you. (which makes it illegal in most places.
The corporate sharks flipped when I pointed them to that "policy".)

I work for Proofpoint -- we acquired SORBS back in 2011. There is
obviously some incorrect / very outdated information / viewpoints here, so
I thought it would make sense to clear the air a bit:

Listings can happen a number of different ways, however the vast majority
of these can be resolved, either through automatic delisting, or manual
delisting (via SORBS support ticket). Additionally, there is NO CHARGE to
be delisted.

I'm happy to help mitigate any issues -- feel free to hit me up off list --
jangerbauer@proofpoint.com

Thanks

--Jaren

There is a very good reason as to why the .."
some incorrect / very outdated information / viewpoints here..<snip>

Matt/Michelle Sullivan did a lot of good things but a lot more *bad* in the name of SORBS - ergo the SORBS-Anathema.
...I have; just like many others on this list, have had to deal with this entity that had in essence turned into a joke.
./Randy

./Randy

....and to echo OP ovservation: at my last $day-job: SORBS wanted payment ( payment options: paypal and other electronic-means; To a Fund to suppport the defense(in court in Australia) of (someone whose I name I don't remember..)
Needless to say, the next exec-memo said: "Anyone who uses SORBS is on their own.
./Randy