Zero Errors? Spamhaus Flubs Causing Domain Deletions 170
Since 2005 I've been running a proxy mailing list where users sign up to receive new proxy sites by email. (Proxy sites are sites for getting around Internet blocking software; most proxy sites that you can find through Google are already blocked by major blocking programs, which is why you would sign up to receive new ones by email, to use them until they get blocked as well.) In all that time, we've followed what are considered best practices for email newsletters: every new subscriber is sent a confirmation message by email, and they have to reply to that message, confirming that they really want to subscribe to the emails, before being added to the list. This practice, known as "verified-opt-in," is considered the gold standard for responsible emailing, since it ensures that everyone on your list actually wants to get your emails. (It also ensures that if you accuse an email publisher of spamming because you received their unwanted emails, they can't say, "Oh, one of your friends must have added you" — since if they're using verified-opt-in like they're supposed to, your friends can't add you.) I'm front-loading a lot of information here, although if you saw the words "Spamhaus errors" in the title, you may recognize the technique of literary foreshadowing being employed.
Despite conforming to verified-opt-in standards, the proxy emails have at times been blocked by spam filters used by Hotmail, Gmail, Yahoo Mail, AOL Mail, and various other systems. However, last month was the first time that an incorrect blacklisting caused the domains themselves to be disabled, so that the sites disappeared from the Internet entirely.
On September 17th I registered 10 new .info domains through NameCheap, set up new proxy sites at each of those domains, and mailed each site to 1/10th of our proxy mailing list. (Sending new sites only to a subset of the list makes it harder for blocking software companies to join the list and find all new sites as soon as they're released.) All seemed to be going well until October 2, when subscribers started telling me that they were getting "host not found" errors when trying to reach the sites. I tried the sites myself, found that they were indeed inaccessible, and spent about an hour testing for various problems with DNS servers and domain record settings, before logging in to NameCheap and seeing a message next to each of the new domains saying "domain locked due to illegal activity; please email legal@enom.com." (NameCheap being a reseller for the domain registrar eNom.)
So I sent eNom an email and followed up with a phone call to see if they could speed things up, since complaints kept pouring in from users that the sites were unreachable. eNom said that the domains had actually been suspended by Afilias, the company that handles all .info domain registrations no matter who you buy the domain from, and eNom was in the process of talking with Afilias. So I called Afilias myself to ask about getting the domains unlocked, but they refused to talk to me and said that they could only respond to inquiries from eNom. This, of course, is ridiculous — if someone notifies you that you or your company has made a error, you can investigate the issue no matter who brings it to your attention — and especially in cases where you're literally accusing someone of unspecified "illegal activity," you should bend over backwards to respond to any indication that you might have made a mistake. But they refused to do anything, so I waited for a response back from eNom.
A day and a half ticked by, with emails continuing to come in from our users wondering why the domains had disappeared, until finally eNom forwarded me a response from Afilias saying that two of my ten domains ("drybook.info" and "rootface.info") had been blacklisted by the UK-based organization Spamhaus on their Domain Block List. Spamhaus operates several different alleged "spam" blacklists, and claims that the DBL is a list of domains found in spam messages. The DBL FAQ says that it is "built predominantly using automated spamtraps and email flow monitoring" and "has many checks to prevent legitimate domains being listed," even going so far as to call it a "zero false-positive" list.
Even though only two of the ten domains that I had registered that day had been blacklisted by Spamhaus, Afilias had responded by disabling the entire group of ten domains that I had bought at the same time.
Now here's where I caught a bit of a break: It turns out I was able to get the domains instantly removed from the DBL by entering them in a form on the Spamhaus site and clicking a button, which took me to a page saying:
DBL removal successful
The domain was successfully removed from the DBL. Please allow 30 minutes for servers around the world to update their data. Please note that the domain will be re-listed if malicious activity is detected in the future.
Although, even this easy part of the process didn't inspire much confidence. Not that I wanted Spamhaus to make it harder for me to de-list by domain names, of course, but if you really think your blacklist is 100% accurate, why would you let anyone get any domain removed at any time just by submitting it in a form? In fact, this would seem to give an advantage to spammers over regular website owners — because a spammer, who knows about blacklists and would find it worthwhile to game the system in his favor, would be more likely to know about the Spamhaus DBL and the form for getting their domains de-listed. Whereas for a regular non-spamming website owner, it would take far more time to find out that their domains had been de-activated, that the de-activation had occurred because of an incorrect Spamhaus listing, etc.
Once the listing had been removed, I emailed eNom, who emailed Afilias, who eventually re-activated the domains after a few more hours. But the traffic never returned to the levels that it had been at before the domains were deleted, as most of our users had apparently concluded that the sites had been blocked or taken offline.
Spamhaus did not respond to requests for comment on this story. In fact, Spamhaus does not give you a way to contact them if you have been wrongly blacklisted — their "contacts" page redirects you to the "Blocklist Removal Center" if your domain is blocked, but that only leads you to the automated removal tools, not a way to contact the organization. I did email their "Press Office" email address, on the grounds that I was writing an article for Slashdot in addition to being a wrongly blacklisted domain owner, but didn't get an answer.
So I have no idea what will happen with the next group of domains that I send out to our proxy list. If Spamhaus signed up one of their "spamtrap" email addresses to our mailing list, then presumably any domain mentioned in a message sent to that email, will get automatically blacklisted (even though of course since they signed up the email address to our mailing list, that means it's not spam). If that happens, the entire next batch of domains might get disabled by Afilias as well.
Meanwhile, Spamhaus continues to claim that the DBL is a "zero false-positive" list. I don't know how many other false positives are on the list or how many domains have been abruptly disabled as a result, but if it's this easy to get incorrectly blacklisted, my money is not on "zero."
OK, so I read the rant... (Score:4, Interesting)
In summary:
1. You run a mailing list
2 You *claim* that it's opt-in
3 Somehow Spamhaus gets your list in its honeypots
4. Spamhaus lists you
5. Afilias nukes you, all 10 of your domains.
6. You easily get your domains off Spamhaus by filling out a form
7. Somehow this is Spamhaus' fault and not Afilias for giving you the run-around
Spamhaus has servers that collect spam from the internet by just being on the internet. Spammers blindly send mail to addresses and the Spamhaus servers read the headers to see where they came from. Headers can be forged, but a good algorithm can do the same thing that a human does when reading a header - follow the chain of Received: until it hits the inevitably forged nonexistent or non-sequitur domain. The one before that gets listed at Spamhaus.
Spamhaus has no users on its honeypots that subscribe to lists. They are just "there" on the net silently collecting spam and they give no 5xx or 4xx errors (because, you know, why bother?). The only way for the honeypot to get messages from you is if your list actually contains the addresses of the honeypots.
Spamhaus has a good reputation. They are probably the most reliable blacklisting service out there and this maddens spammers to no end. There are others that shouldn't be used, but Spamhaus is used by nearly everyone who uses a blacklist because of its accuracy.
>If Spamhaus signed up one of their "spamtrap" email addresses to our mailing list
It doesn't work that way. Clean up your list.
--
BMO
Don't kneejerk react, readers (Score:5, Interesting)
Don't talk to him like a noob, people. Bennett has been around a very, very long time. He has had a beef with DNS distributed blocklists for most of that time. Others publishing their opinions gets in his craw when it interferes with his operations. He comes in here periodically with his latest incident to rally the "freedom to do whatever I want" crowd into a frenzy. He also posts lots of other stuff worth reading. *grin*
If one considers the DBL a list of domains who have appeared in emails to spamtraps, then I would contend that it very possible that the "zero false positive" claim holds up because it very well might have happened. If it claims that all listed entities are domains owned by spam operators, then he might have an argument.
Haselton's fundamental gripe is that he should be free to communicate until a real person decides he shouldn't. The fact that automated systems now make the blocking decision, requiring human intervention to override them, is an inverted model compared to the "old internet." (The necessity came from the raw volume of spam) The death of the "old internet" began with Canter and Siegel [http]. Some of our long-term, asylum residents just haven't accepted that fact.
Blacklist owners are never contactable (Score:5, Interesting)
I do not believe it is possible to be contactable and run a blacklist. It would require an army of support people, and most of the blacklists just do not get the kind of income necessary to pay for that.
Blacklists are a pain to deal with in general. Some simply hold you for ransom. Yet it is also a pain to run a mailserver without blacklists, so... Spamhaus has fewer false positives than most, in my experience, but it is stupid of them to claim that any list has zero of them.
Legit .info user? You must be the first. (Score:5, Interesting)
I've yet to receive any piece of e-mail from a .info domain that wasn't spam. Simply matching on .info is the most reliable filter I've found for identifying e-mail from scumbags who deserve death.
Anyone else notice this?
Re:Spamhaus is better than you think (Score:2, Interesting)
Ah.....no they don't.
On two ocassions Spamhaus blacklisted one of my corporate sub domains. No notice to any of my contact E-mails {abuse, info, technical, root, admin, webadmin, emailadmin, help, etc}. Just suddenly blacklisted it....I have no explanation why because they certainly would not have received any E-mail from it....those domains don't send E-mail....the domains just receive from a very specific set of customers.
The reason I found out both times was a customer who used spamhaus was having trouble sending us information and found out why. Nice thing was, he took care of it by dropping Spamhaus as his DBL provider after the second time.
So II would like to hope that they may be better than I think, but, from experience, they are not.