Brief DBL false positive


Spamhaus are rolling out a new subzone of the DBL, for domains whose webservers have been compromised and used to host spam landing pages, often via mass compromises of their management control panels. There was a brief mistake that caused all of .net to be listed in the new subzone, meaning that mail sent with URLs in it that used hostnames in .net may have been rejected or spam-foldered by early adopters or careless users of the DBL.
If you’re using one of the reputation services that wraps many different sorts of listing in a single zone, differentiating between different listing reasons by return code, you should be aware of what all the subzones are and what listings of each type mean. Unless the blacklist operator has a published policy about what sort of sublists might be added in the future, you should never configure your mailservers to take action on any returned value, rather you should check for specific return values and ignore any response that you don’t explicitly intend to use.
If your MTA supports it, logging unrecognized responses and alerting based on them is a good idea – both so you know when a new category is added, and so you know if you’ve been blocked from accessing the blacklist, or the blacklist has been shut down and is listing the entire Internet. It’s not unusual for blacklists to see very high query volumes for months or years after they’ve been shut down, presumably from users who are using the data as part of  a scoring system and who haven’t noticed that it’s no longer providing any useful data.
 

Google's Inbox Team answers questions on Reddit
Barracuda Email Security Service disruption

Related Posts

Winning friends and removing blocks

I do a lot of negotiating with blocklists and ISPs on behalf of my clients and recently was dealing with two incidents. What made this so interesting to me was how differently the clients approached the negotiations.
In one case, a client had a spammer slip onto their system. As a result the client was added to the SBL. The client disconnected the customer, got their IP delisted from the SBL and all was good until the spammer managed to sweet talk the new abuse rep into turning his account back on. Predictably, he started spamming again and the SBL relisted the IP.
My client contacted me and asked me to intercede with Spamhaus. I received a detailed analysis of what happened, how it happened and how they were addressing the issue to prevent it happening in the future. I relayed the info to Spamhaus, the block was lifted and things are all back to normal.
Contrast that with another client dealing with widespread blocking due to a reputation problem. Their approach was to ask the blocking entity which clients they needed to disconnect in order to fix the problem. When the blocking entity responded, the customer disconnected the clients and considered the issue closed. They didn’t look at the underlying issues that caused the reputation problems, nor did they look at how they could prevent this in the future. They didn’t evaluate the customers they disconnected to identify where their processes failed.
The first client took responsibility for their problems, looked at the issues and resolved things without relying on Spamhaus to tell them how to fix things. Even though they had a problem, and is statistically going to have the occasional problem in the future, this interaction was very positive for them. Their reputation with the Spamhaus volunteers is improved because of their actions.
The second client didn’t do any of that. And the people they were dealing with at the blocking entity know it. Their reputation with the people behind the blocking entity was not improved by their actions.
These two clients are quite representative of what I’ve seen over the years. Some senders see blocking as a sign that somehow, somewhere there is a flaw in their process and a sign they need to figure out how to fix it. Others see blocking as an inconvenience. Their only involvement is finding out the minimum they need to do to get unblocked, doing it and then returning to business as usual. Unsurprisingly, the first type of client has a much better delivery rate than the second.

Read More

URL reputation and shorteners

A bit of  a throwback post from Steve a few years ago. The problem has gotten a little better as some shortening companies are actually disabling spammed URLs, and blocking URLs with problematic content. I still don’t recommend using a public URL shortener in email messages, though.
Any time you put a URL in mail you send out, you’re sharing the reputation of everyone who uses URLs with that hostname. So if other people send unwanted email that has the same URL in it that can cause your mail to be blocked or sent to the bulk folder.
That has a bunch of implications. If you run an affiliate programme where your affiliates use your URLs then spam sent by your affiliates can cause your (clean, opt-in, transactional) email to be treated as spam. If you send a newsletter with advertisers URLs in it then bad behaviour by other senders with the same advertisers can cause your email to be spam foldered. And, as we discussed yesterday, if spammers use the same URL shortener you do, that can cause your mail to be marked as spam.
Even if the hostname you use for your URLs is unique to you, if it resolves to the same IP address as a URL that’s being used in spam, that can cause delivery problems for you.
What does this mean when it comes to using URL shorteners (such as bit.ly, tinyurl.com, etc.) in email you send out? That depends on why you’re using those URL shorteners.
The URLs in the text/html parts of my message are big and ugly
Unless the URL you’re using is, itself, part of your brand identity then you really don’t need to make the URL in the HTML part of the message visible at all. Instead of using ‘<a href=”long_ugly_url”> long_ugly_url </a>’ or ‘<a href=”shortened_url”> shortened_url </a>’ use ‘<a href=”long_ugly_url”> friendly phrase </a>’.
(Whatever you do, don’t use ‘<a href=”long_ugly_url”> different_url </a>’, though – that leads to you falling foul of phishing filters).
The URLs in the text/plain parts of my message are big and ugly
The best solution is to fix your web application so that the URLs are smaller and prettier. That will make you seem less dated and clunky both when you send email, and when your users copy and paste links to your site via email or IM or twitter or whatever. “Cool” or “friendly” URLs are great for a lot of reasons, and this is just one. Tim Berners-Lee has some good thoughts on this, and AListApart has two good articles on how to implement them.
If you can’t do that, then using your own, branded URL shortener is the next best thing. Your domain is part of your brand – you don’t want to hide it.
I want to use a catchy URL shortener to enhance my brand
That’s quite a good reason. But if you’re doing that, you’re probably planning to use your own domain for your URL shortener (Google uses goo.gl, Word to the Wise use wttw.me, etc). That will avoid many of the problems with using a generic URL shortener, whether you implement it yourself or use a third party service to run it.
I want to hide the destination URL from recipients and spam filters
Then you’re probably spamming. Stop doing that.
I want to be able to track clicks on the link, using bit.ly’s neat click track reporting
Bit.ly does have pretty slick reporting. But it’s very weak compared to even the most basic clickthrough reporting an ESP offers. An ESP can tell you not just how many clicks you got on a link, but also which recipients clicked and how many clicks there were for all the links in a particular email or email campaign, and how that correlates with “opens” (however you define that).
So bit.ly’s tracking is great if you’re doing ad-hoc posts to twitter, but if you’re sending bulk email you (or your ESP) can do so much better.
I want people to have a short URL to share on twitter
Almost all twitter clients will abbreviate a URL using some URL shortener automatically if it’s long. Unless you’re planning on using your own branded URL shortener, using someone else’s will just hide your brand. It’s all probably going to get rewritten as t.co/UgLy in the tweet itself anyway.
If your ESP offers their own URL shortener, integrating into their reporting system for URLs in email or on twitter that’s great – they’ll be policing users of that just the same as users of their email service, so you’re unlikely to be sharing it with bad spammers for long enough to matter.
All the cool kids are using bit.ly, so I need to to look cool
This one I can’t help with. You’ll need to decide whether bit.ly links really look cool to your recipient demographic (Spoiler: probably not) and, if so, whether it’s worth the delivery problems they risk causing.
And, remember, your domain is part of your brand. If you’re hiding your domain, you’re hiding your branding.
So… I really do need a URL shortener. Now what?
It’s cheap and easy to register a domain for just your own use as a URL shortener. Simply by having your own domain, you avoid most of the problems. You can run a URL shortener yourself – there are a bunch of freely available packages to do it, or it’s only a few hours work for a developer to create from scratch.
Or you can use a third-party provider to run it for you. (Using a third-party provider does mean that you’re sharing the same IP address as other URL shorteners – but everyone you’re sharing with are probably people like you, running a private URL shortener, so the risk is much, much smaller than using a freely available public URL shortener service.)
These are fairly simple fixes for a problem that’s here today, and is going to get worse in the future.

Read More

Bit.ly gets you Blocked

URL shorteners, like bit.ly, moby.to and tinyurl.com, do three things:

Read More