Zero Errors? Spamhaus Flubs Causing Domain Deletions

Frequent contributor Bennett Haselton writes: After I sent 10 new proxy sites to my (confirmed-opt-in) mailing list, two of them ended up on one of Spamhaus's blacklists, and as a result, all 10 domains were disabled by the domain registrar, so the sites disappeared from the Web. Did you even know this could happen?"

Since 2005 I've been running a proxy mailing list where users sign up to receive new proxy sites by email. (Proxy sites are sites for getting around Internet blocking software; most proxy sites that you can find through Google are already blocked by major blocking programs, which is why you would sign up to receive new ones by email, to use them until they get blocked as well.) In all that time, we've followed what are considered best practices for email newsletters: every new subscriber is sent a confirmation message by email, and they have to reply to that message, confirming that they really want to subscribe to the emails, before being added to the list. This practice, known as "verified-opt-in," is considered the gold standard for responsible emailing, since it ensures that everyone on your list actually wants to get your emails. (It also ensures that if you accuse an email publisher of spamming because you received their unwanted emails, they can't say, "Oh, one of your friends must have added you" — since if they're using verified-opt-in like they're supposed to, your friends can't add you.) I'm front-loading a lot of information here, although if you saw the words "Spamhaus errors" in the title, you may recognize the technique of literary foreshadowing being employed.

Despite conforming to verified-opt-in standards, the proxy emails have at times been blocked by spam filters used by Hotmail, Gmail, Yahoo Mail, AOL Mail, and various other systems. However, last month was the first time that an incorrect blacklisting caused the domains themselves to be disabled, so that the sites disappeared from the Internet entirely.

On September 17th I registered 10 new .info domains through NameCheap, set up new proxy sites at each of those domains, and mailed each site to 1/10th of our proxy mailing list. (Sending new sites only to a subset of the list makes it harder for blocking software companies to join the list and find all new sites as soon as they're released.) All seemed to be going well until October 2, when subscribers started telling me that they were getting "host not found" errors when trying to reach the sites. I tried the sites myself, found that they were indeed inaccessible, and spent about an hour testing for various problems with DNS servers and domain record settings, before logging in to NameCheap and seeing a message next to each of the new domains saying "domain locked due to illegal activity; please email legal@enom.com." (NameCheap being a reseller for the domain registrar eNom.)

So I sent eNom an email and followed up with a phone call to see if they could speed things up, since complaints kept pouring in from users that the sites were unreachable. eNom said that the domains had actually been suspended by Afilias, the company that handles all .info domain registrations no matter who you buy the domain from, and eNom was in the process of talking with Afilias. So I called Afilias myself to ask about getting the domains unlocked, but they refused to talk to me and said that they could only respond to inquiries from eNom. This, of course, is ridiculous — if someone notifies you that you or your company has made a error, you can investigate the issue no matter who brings it to your attention — and especially in cases where you're literally accusing someone of unspecified "illegal activity," you should bend over backwards to respond to any indication that you might have made a mistake. But they refused to do anything, so I waited for a response back from eNom.

A day and a half ticked by, with emails continuing to come in from our users wondering why the domains had disappeared, until finally eNom forwarded me a response from Afilias saying that two of my ten domains ("drybook.info" and "rootface.info") had been blacklisted by the UK-based organization Spamhaus on their Domain Block List. Spamhaus operates several different alleged "spam" blacklists, and claims that the DBL is a list of domains found in spam messages. The DBL FAQ says that it is "built predominantly using automated spamtraps and email flow monitoring" and "has many checks to prevent legitimate domains being listed," even going so far as to call it a "zero false-positive" list.

Even though only two of the ten domains that I had registered that day had been blacklisted by Spamhaus, Afilias had responded by disabling the entire group of ten domains that I had bought at the same time.

Now here's where I caught a bit of a break: It turns out I was able to get the domains instantly removed from the DBL by entering them in a form on the Spamhaus site and clicking a button, which took me to a page saying:

DBL removal successful
The domain was successfully removed from the DBL. Please allow 30 minutes for servers around the world to update their data. Please note that the domain will be re-listed if malicious activity is detected in the future.

Although, even this easy part of the process didn't inspire much confidence. Not that I wanted Spamhaus to make it harder for me to de-list by domain names, of course, but if you really think your blacklist is 100% accurate, why would you let anyone get any domain removed at any time just by submitting it in a form? In fact, this would seem to give an advantage to spammers over regular website owners — because a spammer, who knows about blacklists and would find it worthwhile to game the system in his favor, would be more likely to know about the Spamhaus DBL and the form for getting their domains de-listed. Whereas for a regular non-spamming website owner, it would take far more time to find out that their domains had been de-activated, that the de-activation had occurred because of an incorrect Spamhaus listing, etc.

Once the listing had been removed, I emailed eNom, who emailed Afilias, who eventually re-activated the domains after a few more hours. But the traffic never returned to the levels that it had been at before the domains were deleted, as most of our users had apparently concluded that the sites had been blocked or taken offline.

Spamhaus did not respond to requests for comment on this story. In fact, Spamhaus does not give you a way to contact them if you have been wrongly blacklisted — their "contacts" page redirects you to the "Blocklist Removal Center" if your domain is blocked, but that only leads you to the automated removal tools, not a way to contact the organization. I did email their "Press Office" email address, on the grounds that I was writing an article for Slashdot in addition to being a wrongly blacklisted domain owner, but didn't get an answer.

So I have no idea what will happen with the next group of domains that I send out to our proxy list. If Spamhaus signed up one of their "spamtrap" email addresses to our mailing list, then presumably any domain mentioned in a message sent to that email, will get automatically blacklisted (even though of course since they signed up the email address to our mailing list, that means it's not spam). If that happens, the entire next batch of domains might get disabled by Afilias as well.

Meanwhile, Spamhaus continues to claim that the DBL is a "zero false-positive" list. I don't know how many other false positives are on the list or how many domains have been abruptly disabled as a result, but if it's this easy to get incorrectly blacklisted, my money is not on "zero."

registries

[alphatel]

Afilias does not have the intrinsic right to blackhole your DNS no matter what Spamhaus does. However, it is in your agreement when using an .info domain. An easy way out of this is to use a domain that is unaffiliated like .com/.net or out of the country like .me/.co/.it/.to
If you have the time, find better contacts at Afilias and get them to clarify their policy. If you have the money, call a lawyer. If you are really bored and love .info to death, run a persistent check on spamhaus and remove your domains from the list immediately instead of after Afilias finds out.

not suprising

[Anonymous Coward]

I'm not that shocked. Your mailing list is a huge concentration of all the spamming proxy servers in the world. I'm not suggesting that your list is the cause or is related to the spam, but any site with a large number of banned domains will eventually be tagged as a spammer and hopefully removed.

no sympathy

[Anonymous Coward]

You should consider this a wake-up call. It's time to switch from mass-email to a web page with RSS.
If people really want your newsletter, they'll come to you.

Sounds like

[OverlordQ]

an Afilias issue, not a Spamhaus issue.

Secondly, how sure are you somebody didn't forward your email to their own not-so-double-opt-in list which got reported as spam.

Re:Spamhaus DBL IS network abuse

[Anonymous Coward]

A lot of ISPs in the USA (for example) are poorly run. Most are hosting knowingly and willingly spammers because they get paid by spammers. If you want to whine do it right, thanks.

Re:no sympathy

[FictionPimp]

Until the services their customers are trying to get around block his web page. Email works a bit better for this as it's not easily blocked (unless the people doing the blocking are going to block hotmail and gmail).

Spamhaus is better than you think

[Anonymous Coward]

Spamhaus always send an automatic notification to abuse@YourDomain.info, if they add you to the blacklist. I suspect you may not have configured an MX to receive mail on these domains. If you had, you would have received a notification.

Re:registries

[nullchar]

Yes, the answer to the poster's problem is to not use .info domains with this highly restrictive policy: http://info.info/information/anti-abuse-policy [info.info]

What is interesting about all of this is Afilias (the registry operator for .info) appears to be using the Spamhaus DBL in an automated fashion to add "serverHold" status to listed domains. ("serverHold" effectively removes the domain from the TLD root servers and can only be modified by the Registry. "clientHold" does the same thing, but can be modified by the Registrar, in this case eNom.)

This is the official ICANN agreement and related documents that allows .info to function: https://www.icann.org/en/about/agreements/registries/info [icann.org]

This is the Registry-Registrar Agreement (RRA) containing section 3.6.5 referred do by the .info anti-abuse-policy: https://www.icann.org/en/about/agreements/registries/info/appendix-08-08dec06-en.htm [icann.org]

In all of those documents, I see no mention of the registry operator (Afilias) being able to invoke their rights of RRA section 3.6.5 in an automated (API-used) fashion. You could email Afilias about it, but doubt they would respond. If we want to get to the bottom of how they are auto-serverHold-listing domains, it seems a lawsuit is the only way. Perhaps someone really did email abuse@afilias.info, and a human checked the SBL and looked at the batch of domains created near the same time from the same registrar.

Thanks, Bennett Haselton, for posting this article and telling us about these shady practices from Afilias.

If you wish to continue using .info, and eNom (namecheap), then it appears you should create separate accounts, and register 1-2 domains in each account, so at least they are not blocked as a group. Additionally, using multiple sets of nameservers will make the domains look "different" from each other.

Re:no sympathy

[FictionPimp]

That's great, but his list is a list of proxy servers. The purpose of those proxy servers is 'proxy avoidance'. My content filtering automatically filters pages in the category of 'proxy avoidance'.

Therefore, if someone wanted to use his proxy servers (which he's constantly adding new domains to to get around my attempts to keep my employees from avoiding my filters) he needs a way to get them those proxy servers and they need a way to find him. I'm not allowed to block email services, but I am allowed to block sites related to getting around my filters.

This is why email works better. They can sign up at home or on some page before I find and block it, confirm via email, then get updates even if I'm blocking the place where they signed up in the first place.

There is a problem with emails being blocked as well, but that is spam filtering not my active attempt to keep them from getting around my filters. Overall this is the fundamental problem with getting around content blocking/filtering. You have to be able to find the site that tells you how to get around the filtering before the people doing the filtering filter that site.

Re:No illegal activity?

[Anonymous Coward]

You must be new here. Bennett is quite well-known in anti-spam, and anti-censorware world. While you were in diapers, he testified in Congress against COPA. He runs peacefire.org - dedicated to free speech for those who are under 18. Accusing him of supporting spam in some way is ridiculous.

http://en.wikipedia.org/wiki/Bennett_Haselton
http://en.wikipedia.org/wiki/Peacefire

Very true - really depends on the registrar

[caffeinejolt]

I wrote the backend for a registrar (NameSilo [namesilo.com]) and still help out with their developers from time to time. Because they offer free privacy and low prices - they get a lot of black hat use. Spamhaus frequently sends them abuse complaints and I have seen a few of them. What is amazing is that most of them offer little to no evidence of the wrongs a given domain has done. I am literally pasting from an email I was copied on here:

From NameSilo regarding an alleged malware domain:

Hi Thomas, We would like to help expedite this since it involves potential malware, but you don't give us much to go on here. Can you please review: http://www.namesilo.com/Support/Abuse-Reporting-Procedures [namesilo.com]

From Spamhaus:

This domain name is operated by cybercriminals and used to provide DNS resolution to botnet domains, aimed to steal thousands of $$$ from financial institutions. Please suspend it.

So in short - the registrar asked for evidence that the domain was violating their terms of service and spamhaus simply replies they are cybercriminals... trust us! After seeing other abuse reports from them, I can tell you that spamhaus has a very snub attitude and expects to be listened to. Once when Namesilo did not listen to them enough to their liking, they added namesilo.com to their RBL - they had me modify their MTA to route email around the block, but still - I think you can see the problem here - someone has to keep spamhaus in check.

Re:no sympathy

[Jerslan]

Except that it's an opt-in w/ verification mailing list, so they already come to him since they have to request to join the list in the first place and then verify via e-mail that they own the account.

Re:Spamhaus and RBL = evil

[Imagix]

You're proceeding from a faulty premise. You're assuming that you are seeing all of the traffic being sent to you. Back when I was maintaining the spam filter for our company, 95% of the incoming mail was simply dropped on the floor as being too spammy. The stuff that hits your spam folder is only the stuff that is "marginally" spammy.

Nobody keeps Spamhaus in check

[RonVNX]

Unfortunately nobody keeps Spamhaus in check, that's why they've become a degenerate network abuse source. Their DBL shows them for what they are now, something the rest of the Internet needs to shun.

Re:not suprising

[LordLucless]

GIven that his article was about him setting up 10 new proxies and emailing them out, it would seem that, at least for the domains relevant to this discussion, the OP was the owner/administrator and most definitely intended them to be used in that manner. Also, from context, it appears that he was running webproxies, not email proxies. They're generally used as anonymizers, or to circumvent geo-IP techniques, not to spam people.