Brief DBL false positive


Spamhaus are rolling out a new subzone of the DBL, for domains whose webservers have been compromised and used to host spam landing pages, often via mass compromises of their management control panels. There was a brief mistake that caused all of .net to be listed in the new subzone, meaning that mail sent with URLs in it that used hostnames in .net may have been rejected or spam-foldered by early adopters or careless users of the DBL.
If you’re using one of the reputation services that wraps many different sorts of listing in a single zone, differentiating between different listing reasons by return code, you should be aware of what all the subzones are and what listings of each type mean. Unless the blacklist operator has a published policy about what sort of sublists might be added in the future, you should never configure your mailservers to take action on any returned value, rather you should check for specific return values and ignore any response that you don’t explicitly intend to use.
If your MTA supports it, logging unrecognized responses and alerting based on them is a good idea – both so you know when a new category is added, and so you know if you’ve been blocked from accessing the blacklist, or the blacklist has been shut down and is listing the entire Internet. It’s not unusual for blacklists to see very high query volumes for months or years after they’ve been shut down, presumably from users who are using the data as part of  a scoring system and who haven’t noticed that it’s no longer providing any useful data.
 

Related Posts

ROKSO

ROKSO is the Register of Known Spamming Operations. It is a list of groups that have been disconnected from more than 3 different networks for spamming. ROKSO is a little bit different than most of the Spamhaus lists. The listings themselves talk more about the background of the listees and less about the specific emails that are the problem.
Many ISPs and ESPs use ROKSO during customer vetting processes.
Networks can be listed on ROKSO without any mail being sent from those networks. These listings are as much about just categorizing and recording associated networks as they are about blocking spam.
Spamhaus does not accept delisting requests for ROKSO records. In order to be delisted from ROKSO there must be a 6 month period with no spam traceable to the ROKSO entity. After that 6 months the listee can petition for a review of the record. If the spam has stopped their record is retired.
In my experience there is often a lot of research put into each ROKSO record and not all that information is made public.
The only time a record is changed is if Spamhaus is convinced they made a mistake. This does happen, but it’s not that common. Given the amount of research that goes into a ROKSO record, there is a fairly high burden of proof to demonstrate that the information is actually incorrect.
It is possible to get delisted off ROKSO. In all of the cases I know about, the listed entity either got out of email altogether or they radically changed their business model.

Read More

Links: September 24, 2012

Last week Return Path announce a new set of email intelligence products. One of their new products offers customers the chance to actually see how (some subset of) their customer base interacts with mail directly. It moves beyond simply looking at probe mailboxes and actually looks inside the mailbox of recipients.
Spamhaus has listed bit.ly on the Domain Blocklist (DBL) for allowing spammers to abuse their redirector service. Spammers have been abusing bit.ly for a while, and I’m a little surprised it’s taken so long for a listing to happen. Steve wrote a post last year about URL redirectors and offered suggestions on what to do to avoid blocking problems when using a URL shortening service.
Real Insights has a very interesting post on why it should be “hard” to subscribe to your mailing list. There are also a number of good suggestions about the subscription process itself. Definitely worth a read.

Read More

Images, again

It’s a new year, but an old problem. Email with unloaded images.
Sure, you should be including critical content as text, and/or including alt-text as a normal part of your creative design process, but at the bare minimum you should look at what your mail looks like without images.
The last thing you want to do is send out email with just one strong call to action – the unsubscribe link.

Read More