ROKSO

ROKSO is the Register of Known Spamming Operations. It is a list of groups that have been disconnected from more than 3 different networks for spamming. ROKSO is a little bit different than most of the Spamhaus lists. The listings themselves talk more about the background of the listees and less about the specific emails that are the problem.
Many ISPs and ESPs use ROKSO during customer vetting processes.
Networks can be listed on ROKSO without any mail being sent from those networks. These listings are as much about just categorizing and recording associated networks as they are about blocking spam.
Spamhaus does not accept delisting requests for ROKSO records. In order to be delisted from ROKSO there must be a 6 month period with no spam traceable to the ROKSO entity. After that 6 months the listee can petition for a review of the record. If the spam has stopped their record is retired.
In my experience there is often a lot of research put into each ROKSO record and not all that information is made public.
The only time a record is changed is if Spamhaus is convinced they made a mistake. This does happen, but it’s not that common. Given the amount of research that goes into a ROKSO record, there is a fairly high burden of proof to demonstrate that the information is actually incorrect.
It is possible to get delisted off ROKSO. In all of the cases I know about, the listed entity either got out of email altogether or they radically changed their business model.

Related Posts

Fake DNSBLs

Spamhaus recently announced a few years ago that they have discovered a company that is pirating various blocklists, relabeling them and selling access to them. Not only is the company distributing the zones, they’re also running a “pay to delist” scheme whereby senders are told if they pay money, they’ll be removed from the lists.
The fake company does remove the listing from the fake zones, but does nothing to remove the IP from the original sender. This company has been caught in the past and was blocked from downloading Spamhaus hosted zones in the past, but have apparently worked around the blocks and are continuing to pirate the zone data.
It’s not clear how many customers the blocklist has, although one ESP rep told me they were seeing bounces referencing nszones.com at some typo domains.
No legitimate DNSBL charges for delisting. While I, and other people, do consult for senders listed on the major blocklists, this is not a pay for removal. What I do is act as a mediator and translator, helping senders understand what they need to do to get delisted and communicating that back to the blocklist. I work with senders to identify good, clean addresses, bad address segments and then suggest appropriate ways to comply with the blocklist requirements.

Read More

Arrest made in Spamhaus dDOS

According to a press release by the Openbaar Ministerie (the Public Prosecution Office), a dutch man with the initials SK has been arrested in Spain (English translation) for the dDOS attacks on Spamhaus. Authorities in Spain have searched the house where SK was staying and seized electronic devices including computers and mobile phones.
Brian Krebs has more, including multiple sources that identify SK as Sven Olaf Kamphuis. Sven Olaf Kamphuis was quoted in many articles about the dDOS, including the NY Times and various reports by Ken Magill.
ETA: Spamhaus thanks the LEOs involved in the arrest.

Read More

More on the attack against Spamhaus and how you can help

While much of the attack against Spamhaus has been mitigated and their services and websites are currently up, the attack is still ongoing.  This is the biggest denial of service attack in history, with as much as 300 gigabits per second hitting Spamhaus servers and their upstream links.
This traffic is so massive, that it’s actually affecting the Internet and web surfers in some parts of the world are seeing network slowdown because of this.
While I know that some of you may be cheering at the idea that Spamhaus is “paying” for their actions, this does not put you on the side of the good. Spamhaus’ actions are legal. The actions of the attackers are clearly illegal. Not only is the attack itself illegal, but many of the sites hosted by the purported source of the attacks provide criminal services.
By cheering for and supporting the attackers, you are supporting criminals.
Anyone who thinks that an appropriate response to a Spamhaus listing is an attack on the very structure of the Internet is one of the bad guys.
You can help, though. This attack is due to open DNS resolvers which are reflecting and amplifying traffic from the attackers. Talk to your IT group. Make sure your resolvers aren’t open and if they are, get them closed. The Open Resolver Project published its list of open resolvers in an effort to shut them down.
Here are some resources for the technical folks.
Open Resolver Project
Closing your resolver by Team Cymru
BCP 38 from the IETF
Ratelimiting DNS
News Articles (some linked above, some coming out after I posted this)
NY Times
BBC News
Cloudflare update
Spamhaus dDOS grows to Internet Threatening Size
Cyber-attack on Spamhaus slows down the internet
Cyberattack on anti-spam group Spamhaus has ripple effects
Biggest DDoS Attack Ever Hits Internet
Spamhaus accuses Cyberbunker of massive cyberattack

Read More