What causes Spamhaus CSS listings

Today’s Wednesday Question comes from Zaib F.

What causes the Spamhaus CSS listing in your experience other than Sender using multiple sets of IPs, to look as if they are a valid sender. Do you think a Spamtrap plays a role?

I’ll preface this by saying I don’t know what the specific Spamhaus criteria are for listing on the CSS. I do know the overall goal of the CSS list is to catch snowshoeing. I also know some general things about how Spamhaus works. Spamhaus has access to lots of different email feeds that they use as data sources for their various lists. I believe that Spamhaus feeds are built around email addresses that are kept private. I do not believe Spamhaus uses those addresses to sign up for mail, nor do they ask or encourage other people to add those addresses to lists. Spamhaus has access to other types of data like BGP feeds and tools to organize and visualize the data.
Snowshoeing is where the sender uses a large number of IP addresses to send mail to avoid reputation based filtering. There isn’t a specific line between responsible mailing and snowshoeing. But it’s usually clear when a range is being used for snowshoeing.
Snowshoe spam isn’t just about a single email (or a few emails) being received. It’s about a pattern of identical emails coming from a range of IP addresses. It’s about rotating domains in the From: line with the same email content. It’s about random domains that don’t relate to the sender, or the ESP or the brand. It’s domains hiding behind proxy services. It’s mail that is clearly from the same templating engine, selling very different products. It’s rotating reverse DNS. It’s a lot of little things, none of which are problematic by themselves but put together indicate that the IP range might just be infested with spammers.
The direct answer to your question is: Yes I think spamtraps play a role in CSS listings. I think that mail sent to addresses that didn’t request the mail will trigger investigations. But it’s not the trap hit, or the mail to a person, that causes a CSS listing, though. A spamtrap hit is neither necessary nor sufficient for a CSS listing. It’s the technical characteristics and the behaviour that causes a range to be listed on the CSS list.
I’ll also point out that some of the ISPs also have CSS like detectors and they will block, defer or otherwise deal with mail from ranges that they think are sending snowshoe spam.
===
Have a question you want answered? tweet them to @wise_laura or send them to laura-questions@wordtothewise.com
 

Related Posts

Spamhaus dDOS

I got mail late last night from one of the Spamhaus peeps telling me that they were under a distributed Denial of Service (dDOS) attack. This is affecting email. Incoming email is delayed and they’re having difficulty sending outgoing email. This is affecting their responses to delisting queries.
They are working on mitigation and hopefully will be fully up and running soon.
Updates when I get them.
Update (8/29/2012): mail to Spamhaus should be back.

Read More

Links: September 24, 2012

Last week Return Path announce a new set of email intelligence products. One of their new products offers customers the chance to actually see how (some subset of) their customer base interacts with mail directly. It moves beyond simply looking at probe mailboxes and actually looks inside the mailbox of recipients.
Spamhaus has listed bit.ly on the Domain Blocklist (DBL) for allowing spammers to abuse their redirector service. Spammers have been abusing bit.ly for a while, and I’m a little surprised it’s taken so long for a listing to happen. Steve wrote a post last year about URL redirectors and offered suggestions on what to do to avoid blocking problems when using a URL shortening service.
Real Insights has a very interesting post on why it should be “hard” to subscribe to your mailing list. There are also a number of good suggestions about the subscription process itself. Definitely worth a read.

Read More

Spamhaus changes

A number of ESPs are reporting an increase in SBL listings of big, well known brands. InterestingSBLs seems to confirm this.
Just on the month of June I see tweets reporting SBL listings for: Disney (again, and again) AAA Michigan, NRCC, the Mitt Romney campaign, Macy’s (again) Facebook, Walmart Brazil, Safeway, Bacardi.
What happened? I think there are a number of reasons for an increase in SBL listings of well known brands.
The first is that botnets are rapidly becoming a solved problem. That’s not to say that they’ve gone away, or that we should stop being vigilant about the spam and malicious mail coming out of them, but that there are more and better tools to deal with botnets than there have been in the past. That means that the folks at Spamhaus can look at different classes of unsolicited email.
I believe Spamhaus has some new mail feeds that let them see mail they were previously not seeing. Anyone who has multiple email addresses can tell you that the type of spam that one address gets is often vastly different than the type of mail another email address gets. When dealing with spamtrap feeds, that means that there is unsolicited mail that isn’t seen by the feed. I know there are companies who claim to have lists of hundreds of thousands of spamtraps, and I don’t doubt that some enterprising spammers have discovered Spamhaus spamtraps in the past. Adding new feeds means that Spamhaus will see spam that they were previously missing due to their traps being compromised.
As well as bringing up new feeds, I suspect Spamhaus has better tools to mine the data. This means they can see patterns and problem senders in a clearer way and list those that meet the Spamhaus listing criteria.
I’m not saying the Spamhaus standards have changed. Spamhaus has always said they will list anyone sending unsolicited bulk email. But, as with many organizations what they could do was limited by the available resources. That resource allocation has changed and they can deal with more senders.
What does all this mean for senders? In a perfect world it wouldn’t mean anything. Senders would actually be sending mail only to people who had asked to receive it. Senders would have good list hygiene and pull off abandoned addresses long before they could be turned into spamtraps.
But we all know this isn’t a perfect world. There are a lot of senders that have lists with years of cruft on them. And not all of those addresses on the list actually opted-in to receive that mail. Many of those senders have good stats, decent opens, low unknown user rates, and low complaint rates. But that doesn’t mean there aren’t problems with the lists. And those hidden problems may mean that just because you haven’t had a Spamhaus listing in the past doesn’t mean there isn’t going to be one in your future. It means senders who want to avoid SBL listings need to pay attention to list hygiene and dead addresses. It means the source of addresses and their audit trail is even more important than ever.
Meanwhile, ESPs are struggling to cope with the ongoing and increasing SBL listings.
EDIT: Mickey attributes some of the increase in listings to Spamhaus being better able to detect appended lists.

Read More