What causes Spamhaus CSS listings

Today’s Wednesday Question comes from Zaib F.

What causes the Spamhaus CSS listing in your experience other than Sender using multiple sets of IPs, to look as if they are a valid sender. Do you think a Spamtrap plays a role?

I’ll preface this by saying I don’t know what the specific Spamhaus criteria are for listing on the CSS. I do know the overall goal of the CSS list is to catch snowshoeing. I also know some general things about how Spamhaus works. Spamhaus has access to lots of different email feeds that they use as data sources for their various lists. I believe that Spamhaus feeds are built around email addresses that are kept private. I do not believe Spamhaus uses those addresses to sign up for mail, nor do they ask or encourage other people to add those addresses to lists. Spamhaus has access to other types of data like BGP feeds and tools to organize and visualize the data.
Snowshoeing is where the sender uses a large number of IP addresses to send mail to avoid reputation based filtering. There isn’t a specific line between responsible mailing and snowshoeing. But it’s usually clear when a range is being used for snowshoeing.
Snowshoe spam isn’t just about a single email (or a few emails) being received. It’s about a pattern of identical emails coming from a range of IP addresses. It’s about rotating domains in the From: line with the same email content. It’s about random domains that don’t relate to the sender, or the ESP or the brand. It’s domains hiding behind proxy services. It’s mail that is clearly from the same templating engine, selling very different products. It’s rotating reverse DNS. It’s a lot of little things, none of which are problematic by themselves but put together indicate that the IP range might just be infested with spammers.
The direct answer to your question is: Yes I think spamtraps play a role in CSS listings. I think that mail sent to addresses that didn’t request the mail will trigger investigations. But it’s not the trap hit, or the mail to a person, that causes a CSS listing, though. A spamtrap hit is neither necessary nor sufficient for a CSS listing. It’s the technical characteristics and the behaviour that causes a range to be listed on the CSS list.
I’ll also point out that some of the ISPs also have CSS like detectors and they will block, defer or otherwise deal with mail from ranges that they think are sending snowshoe spam.
===
Have a question you want answered? tweet them to @wise_laura or send them to laura-questions@wordtothewise.com
 

Related Posts

Equivocating about spamtraps

What is a spamtrap? According to a post I saw on Twitter:

Read More

Dealing with complaints

There are a lot of people who abuse online services and use online services to abuse and harass other people. But handling complaints and handling the abuse are often afterthoughts for many new companies. They don’t think about how to accept and process complaints until they show up. Nor do they think about how bad people can abuse a system before hand.
But dealing with complaints is important and can be complicated. I’ve written many a complaint handling process document over the years, but even I was impressed with the Facebook flowchart that’s been passed around recently.

In the email space, though, all too many companies just shrug off complaints. They don’t really pay attention to what recipients are saying and treat complaints merely as unsubscribe requests. Their whole goal is to keep complaints below the threshold that gets them blocked at ISPs. To be fair, this isn’t as true with ESPs as it is with direct senders, many ESPs pay a lot of attention to complaints and will, in fact, initiate an investigation into a customer’s practice on a report from a trusted complainant.
There are a lot of legitimate email senders out there who value quantity over quality when it comes to complaints. But that doesn’t mean their lists are good or clean or they won’t see delivery problems or SBL listings at some point.

Read More

Thanks for your questions!

Thanks, everyone, who submitted questions to laura-questions@wordtothewise.com. We’ve gotten some great questions to answer here on the blog. I’m working through the emails and contacting folks if I have questions. I’ll be answering the first question on Wednesday.
I also did have someone harvest the address off the website and send me non-CAN SPAM compliant spam to it. I have to admit, I didn’t expect someone to harvest the address at all, but especially not within 12 hours of posting an address. Particularly someone who’s not harvested our contact address previously. I also am considering how much content I could get detailing taking the spammer to court in CA for violating CAN SPAM and the CA anti-spam statute.
 

Read More