Help! We're on Spamhaus' list

While trying to figure out what to write today, I checked Facebook. Where I saw a post on the Women of Email group asking for help with a Spamhaus listing. I answered the question. Then realized that was probably useable on the blog. So it’s an impromptu Ask Laura question.

We’re listed on Spamhaus’ list, any advice on how to get off? Our email provider has a plan, just looking for more input. 
If you’re on the SBL, there’s a problem (somewhere) with your data collection process. You’re getting addresses that don’t actually belong to your customers / subscribers / whatever.
The fastest way off it to cut WAY back on who you are mailing to. Mail only to addresses you know, for sure, based on activity in the email, want your mail. Then you can start to go through the other addresses and make decisions about how to verify that those addresses belong to the people you think they do.
If you’re at an ESP, do what they tell you to do. Most ESPs have dealt with this before.
One thing to think about, once you get past the crisis stage, is that if you’re on the SBL, it’s likely your delivery is overall pretty bad. These aren’t folks that dramatically list for a single mistake, there’s a pattern. ISPs look at different patterns, but will often find the same answers and delivery will be bad.
It’s important to realize that Spamhaus has 4 or 5 different lists that have different listing criteria. This is for the SBL, there’s also CSS, CBL, PBL, DBL and XBL. They address different problems and have different listing and delisting criteria.

SBL

The one, the only, the original Spamhaus Block List. This is a manual list driven mostly by spamtrap hits. It lists IP addresses and only IP addresses. A few things you need to be aware of.

  • Listings are created by individuals.
  • The person who created the listing is also the person who is responsible for delisting. You will work with a single volunteer throughout the delisting process.
  • One spamtrap hit isn’t going to cause a listing. Generally it takes hundreds or thousands of trap hits to get listed.
  • Reputation matters. If you’re at an ESP that is trusted by Spamhaus, they’re probably going to list a .0 and let the ESP handle much of it.
  • Many SBL listings have nothing to do with marketing mail. The listings are for botnet command and control, malware servers and things like that.

CBL / XBL

CBL is designed to block malware and infected machines. If you’re on the CBL, it’s likely there is an infection somewhere on your network. The CBL folks often give quite a bit of information about what the infection is and how to resolve it.

  • Listings are automatic
  • Delistings are self service
  • Repeated delistings without fixing the issue will result in automatic delisting no longer working.
  • A long time ago there were a couple buggy MTAs that would trigger listings. To the best of my knowledge they don’t any longer. If you’re listed and are absolutely sure there’s no problem, upgrade your MTA software.

CSS

CSS is a subset of the SBL. It’s intended to address snowshoeing, that is bad behavior spread out over lots of IP addresses to hide. It lists IP addresses and only IP addresses.

  • Listings are automatic.
  • Delistings are self-service.
  • Repeated delistings without fixing the issue will result in automatic delisting no longer working.
  • CSS is tied to the DBL, so you have to address both listings.

DBL

DBL is the Domain Block List. It lists domains and not IP addresses. I’ll be honest, I don’t have as much experience with the DBL as with other lists, but I have had a few clients on the DBL.

  • DBL is tied into the CSS.
  • You can get on the DBL without the sending IP being on CSS.
  • DBL makes no judgement on the source of the mail, only the content of the mail.

PBL

PBL is the Policy Block List. This is a list of IP addresses curated by Spamhaus and some ISPs. It contains IP addresses that, by policy, should not be emitting email. The IPs are things like consumer cable modems where the AUP of the ISP says the customer may not host a mail server. Another list I don’t have much familiarity with. Best advice is to talk to your ISP about the listing.

Zen XBL

This is a combo lists that combines the SBL, CBL and PBL. It’s mostly used for lookups. You’re never listed on Zen, you’re listed on something else, and that’s the listing you need to address. (In my initial post I confused the XBL with Zen. Zen is the composite list; XBL and the CBL are the anti-malware lists. I corrected the post. Thanks to a observant reader for alerting me to the error. That’s what I get for blogging late in the day and relying on memory. )

General advice

  • If you’re at an ESP let the ESP handle the communication with Spamhaus for you. Most delivery folks can tell you about that customer that decided they could communicate better with Spamhaus directly and ended up having a harder road off the list.
  • If you are handling it yourself, check out Help! I’m on a blocklist published by M3AAWG. It has tips and guidelines on communication.
  • Don’t bother trying to explain your business model. Really. Listings happen because there’s no valid permission. Focus on that issue and improve your data communication skills.
  • Deliverability problems – temp fails, bulk foldering almost always precede a SBL listing. Deal with the problems before it gets to the point of the SBL.
  • If you end up completely stuck and can’t get off the SBL, CSS or DBL contact an expert. Word to the Wise provides consultation and help with listings. Many of our clients come to us after other services haven’t helped or their ESP has referred them to us.

SBL listings are sometimes signals that something about data handling is off. The listing is the result of something other than a broken subscription process.
A few years ago an ESP referred a client to me because the situation was complex. The client had all the right subscription processes in place. They did correctly identify addresses to suppress. However, their backend data handling had a problem. When a certain sequence of events occurred, bad addresses were reactivated. We dealt with the listing, then dug into their data handling and changed some things to stop future listings.
Listings aren’t the end of the world. They have discrete causes and defined solutions. The folks at Spamhaus are generally willing to work with senders when there are issues.
 

Related Posts

What happened with the CBL false listings?

The CBL issued a statement and explanation for the false positives. Copying it here because there doesn’t seem to be a way to link directly to the statement on the CBL front page.

Read More

CBL issues

I started seeing some folks complain about false CBL listings a few hours ago. I’m now seeing the same folks saying the listings are being removed.
The symptoms look similar to what happened in November (mentioned here), but it appears the CBL team are on top of things and are working to rectify things quickly.

Read More

Fake DNSBLs

Spamhaus recently announced a few years ago that they have discovered a company that is pirating various blocklists, relabeling them and selling access to them. Not only is the company distributing the zones, they’re also running a “pay to delist” scheme whereby senders are told if they pay money, they’ll be removed from the lists.
The fake company does remove the listing from the fake zones, but does nothing to remove the IP from the original sender. This company has been caught in the past and was blocked from downloading Spamhaus hosted zones in the past, but have apparently worked around the blocks and are continuing to pirate the zone data.
It’s not clear how many customers the blocklist has, although one ESP rep told me they were seeing bounces referencing nszones.com at some typo domains.
No legitimate DNSBL charges for delisting. While I, and other people, do consult for senders listed on the major blocklists, this is not a pay for removal. What I do is act as a mediator and translator, helping senders understand what they need to do to get delisted and communicating that back to the blocklist. I work with senders to identify good, clean addresses, bad address segments and then suggest appropriate ways to comply with the blocklist requirements.

Read More