BLOG

Help! We’re on Spamhaus’ list

While trying to figure out what to write today, I checked Facebook. Where I saw a post on the Women of Email group asking for help with a Spamhaus listing. I answered the question. Then realized that was probably useable on the blog. So it’s an impromptu Ask Laura question.

We’re listed on Spamhaus’ list, any advice on how to get off? Our email provider has a plan, just looking for more input. 

If you’re on the SBL, there’s a problem (somewhere) with your data collection process. You’re getting addresses that don’t actually belong to your customers / subscribers / whatever.

The fastest way off it to cut WAY back on who you are mailing to. Mail only to addresses you know, for sure, based on activity in the email, want your mail. Then you can start to go through the other addresses and make decisions about how to verify that those addresses belong to the people you think they do.

If you’re at an ESP, do what they tell you to do. Most ESPs have dealt with this before.

One thing to think about, once you get past the crisis stage, is that if you’re on the SBL, it’s likely your delivery is overall pretty bad. These aren’t folks that dramatically list for a single mistake, there’s a pattern. ISPs look at different patterns, but will often find the same answers and delivery will be bad.

It’s important to realize that Spamhaus has 4 or 5 different lists that have different listing criteria. This is for the SBL, there’s also CSS, CBL, PBL, DBL and XBL. They address different problems and have different listing and delisting criteria.

SBL

The one, the only, the original Spamhaus Block List. This is a manual list driven mostly by spamtrap hits. It lists IP addresses and only IP addresses. A few things you need to be aware of.

  • Listings are created by individuals.
  • The person who created the listing is also the person who is responsible for delisting. You will work with a single volunteer throughout the delisting process.
  • One spamtrap hit isn’t going to cause a listing. Generally it takes hundreds or thousands of trap hits to get listed.
  • Reputation matters. If you’re at an ESP that is trusted by Spamhaus, they’re probably going to list a .0 and let the ESP handle much of it.
  • Many SBL listings have nothing to do with marketing mail. The listings are for botnet command and control, malware servers and things like that.

CBL / XBL

CBL is designed to block malware and infected machines. If you’re on the CBL, it’s likely there is an infection somewhere on your network. The CBL folks often give quite a bit of information about what the infection is and how to resolve it.

  • Listings are automatic
  • Delistings are self service
  • Repeated delistings without fixing the issue will result in automatic delisting no longer working.
  • A long time ago there were a couple buggy MTAs that would trigger listings. To the best of my knowledge they don’t any longer. If you’re listed and are absolutely sure there’s no problem, upgrade your MTA software.

CSS

CSS is a subset of the SBL. It’s intended to address snowshoeing, that is bad behavior spread out over lots of IP addresses to hide. It lists IP addresses and only IP addresses.

  • Listings are automatic.
  • Delistings are self-service.
  • Repeated delistings without fixing the issue will result in automatic delisting no longer working.
  • CSS is tied to the DBL, so you have to address both listings.

DBL

DBL is the Domain Block List. It lists domains and not IP addresses. I’ll be honest, I don’t have as much experience with the DBL as with other lists, but I have had a few clients on the DBL.

  • DBL is tied into the CSS.
  • You can get on the DBL without the sending IP being on CSS.
  • DBL makes no judgement on the source of the mail, only the content of the mail.

PBL

PBL is the Policy Block List. This is a list of IP addresses curated by Spamhaus and some ISPs. It contains IP addresses that, by policy, should not be emitting email. The IPs are things like consumer cable modems where the AUP of the ISP says the customer may not host a mail server. Another list I don’t have much familiarity with. Best advice is to talk to your ISP about the listing.

Zen XBL

This is a combo lists that combines the SBL, CBL and PBL. It’s mostly used for lookups. You’re never listed on Zen, you’re listed on something else, and that’s the listing you need to address. (In my initial post I confused the XBL with Zen. Zen is the composite list; XBL and the CBL are the anti-malware lists. I corrected the post. Thanks to a observant reader for alerting me to the error. That’s what I get for blogging late in the day and relying on memory. )

General advice

  • If you’re at an ESP let the ESP handle the communication with Spamhaus for you. Most delivery folks can tell you about that customer that decided they could communicate better with Spamhaus directly and ended up having a harder road off the list.
  • If you are handling it yourself, check out Help! I’m on a blocklist published by M3AAWG. It has tips and guidelines on communication.
  • Don’t bother trying to explain your business model. Really. Listings happen because there’s no valid permission. Focus on that issue and improve your data communication skills.
  • Deliverability problems – temp fails, bulk foldering almost always precede a SBL listing. Deal with the problems before it gets to the point of the SBL.
  • If you end up completely stuck and can’t get off the SBL, CSS or DBL contact an expert. Word to the Wise provides consultation and help with listings. Many of our clients come to us after other services haven’t helped or their ESP has referred them to us.

SBL listings are sometimes signals that something about data handling is off. The listing is the result of something other than a broken subscription process.

A few years ago an ESP referred a client to me because the situation was complex. The client had all the right subscription processes in place. They did correctly identify addresses to suppress. However, their backend data handling had a problem. When a certain sequence of events occurred, bad addresses were reactivated. We dealt with the listing, then dug into their data handling and changed some things to stop future listings.

Listings aren’t the end of the world. They have discrete causes and defined solutions. The folks at Spamhaus are generally willing to work with senders when there are issues.

 

1 comment

  1. Iss Meftah says

    CSS listings are based on a wide range of inputs and are always the result of multiple events and heuristics.
    Would previous bad history of the sending IP addresses or the neighbors of the sending IP triggers new listing?

Comment:

Your email address will not be published. Required fields are marked *

  • OTA joins the ISOC

    The Online Trust Alliance (OTA) announced today they were joining forces with the Internet Society (ISOC). Starting in May, they will operate as an initiative under the ISOC umbrella. “The Internet Society and OTA share the belief that trust is the key issue in defining the future value of the Internet,” said Internet Society President and CEO, Kathryn Brown. “Now is the right time for these two organizations to come together to help build user trust in the Internet. At a time when cyber-attacks and identity theft are on the rise, this partnership will help improve security and data privacy for users,” added Brown.No Comments


  • Friday blogging... or lack of it

    It seems the last few Friday's I've been lax on posting. Some of that is just by Friday I'm frantically trying to complete all my client deliverables before the weekend. The rest of it is by Friday I'm just tired. Today had the added complication of watching the Trumpcare debate and following how (and how soon) it would affect my company if it passed. That's been a bit distracting, along with the other stuff I posted about yesterday. I wish everyone a great weekend.1 Comment


  • Indictments in Yahoo data breach

    Today the US government unsealed an indictment against 2 Russian agents and 2 hackers for breaking into Yahoo's servers and stealing personal information. The information gathered during the hack was used to target government officials, security employees and private individuals. Email is so central to our online identity. Compromise an email account and you can get access to social media, and other accounts. Email is the key to the kingdom.No Comments


Archives