Why is shared hosting like phishing?

A client of a friend was getting rejection messages when they tried to send mail

Google tried to deliver your message, but it was rejected by the recipient domain. We recommend contacting the other email provider for further information about the cause of this error. The error that the other server returned was: 554 554 5.7.1 The IP address of web site www.client.com [75.101.163.44] is listed at www.spamhaus.org (state 18).

What? An SBL listing? The client hadn’t done anything wrong, certainly nothing that would provoke the wrath of Spamhaus. And… they’re not sending email from 75.101.163.44 anyway, they’re sending it out through Google Apps. And, wait, www.client.com is listed on the SBL – the SBL lists IP addresses, not hostnames.
What is going on here?
We’ve mentioned in passing before that one of the good ways to filter mail based on content is to look for suspicious URLs in the message. One way of doing this is to use hostname-based blacklists, such as SURBL, URIBL or DBL. These list domain names that have been seen in spam (and pretty much only spam), and sending email with a listed hostname in it is a quick trip to blocksville at many ISPs.
Spammers, phishers especially, often cycle through domain names quickly in order to avoid the (manually maintained) hostname-based blacklists. They often host them at the same place, though, so if you look up the IP address the hostname resolves to you can use an IP based blacklist to see if the hostname is being used for spam or phishing related email payloads, and use that information to block the email. That’ll work even if the phishers use an entirely new domain for their websites, if it’s still hosted at the same place.
The SBL blacklist is commonly used in this way. It’s manually maintained and fairly hard to get on to, and finding URLs that resolve to addresses listed on the SBL in an email corresponds pretty strongly to the mail being unwanted. The folks who run the SBL are quite aware of this, and will commonly list IP addresses that are being used to host websites advertised in spam even if they never send email.
What happened in this case was that the client was hosting their website with Heroku, a perfectly respectable cloud-based ruby-on-rails web host. But Heroku use just three IP addresses for all their customers. And one of their customers was zapt.in, a URL shortener with a serious spam problem. Zapt.in caused problems for long enough, and didn’t respond to them for long enough, that their IP address was listed on the SBL.
That meant that all of Heroku’s customers were using an IP address listed on the SBL. Which, in turn, meant that any email those customers (or their affiliates or customers or…) sent that used the customers domain would be rejected by ISPs using the SBL-as-a-hostname-blacklist trick – which is a lot of large ISPs.
What can you do to avoid this? The ideal is to not host your website on a shared IP address (or in a /24 that’s littered with spam and phishing sites).
If you can’t do that – you really can’t move your main website to a more reputable host – then your next best option is to not use your main website in any of the email you send. You don’t want to hide the connection (because you don’t want to look like a snowshoe spammer who’s obfuscating their domain ownership), but you want the hostname to be different. A good way to do that is, if your main domain name is example.com and your website is www.example.com, is to use a subdomain for URLs in emails. click.example.com, maybe.
Host that subdomain somewhere else, on an IP address you have a bit more control over – an inexpensive VPS or web hosting provider, and just run a web redirector there that simply sends an http 302 redirect for any http://click.example.com/foo/bar/baz.html to http://example.com/foo/bar/baz.html. And use the click.example.com form of the URL for everything you use in your email – not just links, but also image tags and so on.
What if setting up your own redirector isn’t something you have the resources to do? Sign up for a web redirector or URL shortener service that’ll let you use your own domain name, like bit.ly Pro. That won’t give you as much control, or protection, as running your own redirector but it’s a lot better than running your website on a shared IP address.

Related Posts

Marketing to businesses

“If you do stupid things, you’re going to get blocked,” says Jigsaw CEO Jim Fowler in an interview with Ken Magill earlier this week.
Jigsaw is a company that rewards members to input their valuable business contacts. Once the addresses are input into Jigsaw, they are sold to anyone who wants them. Jigsaw gets the money, the people providing information get… something, the people who provided business cards to Jigsaw members get spammed and the people who downloaded the lists get to deal with a delivery mess. Sounds like a lose for everyone but Jigsaw.
Except that now Jigsaw is listed on the SBL for spam support services. Well, that’s going to cause some business challenges, particularly given how many companies use the SBL as part of their filtering scheme.
It’s hard to think of a situation where I would appreciate someone I gave a business card to providing my information to a site that then turns around and lets anyone download it to send email to. I know, I know, there are a million companies out there I’ve never heard of that have The Product that will Solve All my Problems. But, really, I don’t want them in my work mailbox. The address I give out on my business cards is, for, y’know, people to contact me about what I’m selling or to contact me about things they’ve already purchased from me. That address is not for people to market to. I have other addresses for vendors, and even potential vendors, to contact me.
Jigsaw clearly facilitates spam to businesses by collecting email addresses and then selling them on. This is a drain on small businesses who now have inboxes full of valuable offers to wade through. Perhaps their stint on the SBL will make them reconsider their spam support services.
HT: Al

Read More

Winning friends and removing blocks

I do a lot of negotiating with blocklists and ISPs on behalf of my clients and recently was dealing with two incidents. What made this so interesting to me was how differently the clients approached the negotiations.
In one case, a client had a spammer slip onto their system. As a result the client was added to the SBL. The client disconnected the customer, got their IP delisted from the SBL and all was good until the spammer managed to sweet talk the new abuse rep into turning his account back on. Predictably, he started spamming again and the SBL relisted the IP.
My client contacted me and asked me to intercede with Spamhaus. I received a detailed analysis of what happened, how it happened and how they were addressing the issue to prevent it happening in the future. I relayed the info to Spamhaus, the block was lifted and things are all back to normal.
Contrast that with another client dealing with widespread blocking due to a reputation problem. Their approach was to ask the blocking entity which clients they needed to disconnect in order to fix the problem. When the blocking entity responded, the customer disconnected the clients and considered the issue closed. They didn’t look at the underlying issues that caused the reputation problems, nor did they look at how they could prevent this in the future. They didn’t evaluate the customers they disconnected to identify where their processes failed.
The first client took responsibility for their problems, looked at the issues and resolved things without relying on Spamhaus to tell them how to fix things. Even though they had a problem, and is statistically going to have the occasional problem in the future, this interaction was very positive for them. Their reputation with the Spamhaus volunteers is improved because of their actions.
The second client didn’t do any of that. And the people they were dealing with at the blocking entity know it. Their reputation with the people behind the blocking entity was not improved by their actions.
These two clients are quite representative of what I’ve seen over the years. Some senders see blocking as a sign that somehow, somewhere there is a flaw in their process and a sign they need to figure out how to fix it. Others see blocking as an inconvenience. Their only involvement is finding out the minimum they need to do to get unblocked, doing it and then returning to business as usual. Unsurprisingly, the first type of client has a much better delivery rate than the second.

Read More

GFI/SORBS – should I use them?

Act 1Act 2IntermezzoAct 3Act 4Act 5
Management Summary, Redistributable Documents and Links
In the past week we’ve demonstrated that the SORBS reputation data is riddled with mistakes, poor practices, security holes and operational problems, and that the quality of the end result is really too poor to be useful.
Today I’m looking at how this information should affect your choice of spam filtering technology.

Read More