Spamhaus
Is email dead?
These last few years have been something, huh? Something had to give and, in my case, that something was blogging. There were a number of reasons I stopped writing here, many of them personal, some of them more global. I will admit, I was (and still am a little) burned out as it seemed I was saying and writing the same things I’d been saying and writing for more than a decade. Taking time off has helped a little bit, as much to focus on what I really want to talk about.
Read MoreConfidential to ESPs
Dear Colleagues at ESPs,
We have a problem. More specifically, YOU have a problem. You have a spam problem. One that you’re not taking care of in any way, shape or form.
Read MoreSpamhaus DBL errors
Sometime in the last few days, Spamhaus seems to have started issuing a block message if someone queries the DBL with an IP address. folks started seeing an uptick in error messages that mention Spamhaus saying:
ESPs are failing recipients
Over the last few years I’ve reduced the complaints I send to ESPs about their customers to almost nothing. The only companies I send complaints to are ones where I actually know folks inside the compliance desk, and I almost never expect action, I just send them as professional courtesy.
Deliverability Help: Information checklist
When asking a for assistance with email delivery, there are some pieces of information that are required before anyone can help. Be prepared with the information so you can get timely assistance. This advice is true whether you’re looking for help from peers or working with paid deliverability consultants.
Read MoreTools aren’t a luxury
I was on the phone with a colleague recently. They were talking about collecting a bit of data over the weekend and mentioned how great it was they had the tools to be able to do this. Coincidentally, another colleague mentioned that when the subscription bombing happened they were able to react quickly because they had a decent tool chain. I’ve also been working with some clients who are dealing with compliance issues but don’t have the tools they need.
Read MoreThinking about filters
Much of the current deliverability advice focuses on a few key ideas:
Read MoreSpamhaus DBL
Over the last few months I’ve gotten an increasing number of questions about the Spamhaus DBL. So it’s probably time to do a blog post about it.
Read MoreMicrosoft using Spamhaus Lists
An on the ball reader sent me a note today showing a bounce message indicating microsoft was rejecting mail due to a Spamhaus Blocklist Listing.
5.7.1 Client host [10.10.10.10] blocked using Spamhaus. To request removal from this list see http://www.spamhaus.org/lookup.lasso (S3130). [VE1EUR03FT043.eop-EUR03.prod.protection.outlook.com]
The IP in question is listed on the CSS, which means at a minimum Microsoft is using the SBL. I expect they’re actually using the ZEN list. ZEN provides a single lookup for 3 different lists: the SBL, XBL and PBL. The XBL is a list of virus infected machines and the PBL is a list of IPs that the IP owners state shouldn’t be sending email. Both of these lists are generally safe to use. If MS is using the SBL, it’s very likely they’re using the other two as well.
What kind of mail do filters target?
All to often we think of filters as a linear scale. There’s blocking on one end, and there’s an inbox on the other. Every email falls somewhere on that line.
Makes sense, right? Bad mail is blocked, good mail goes to the inbox. The bulk folder exists for mail that’s not bad enough to block, but isn’t good enough to go to the inbox.
Once we get to that model, we can think of filters as just different tolerances for what is bad and good. Using the same model, we can see aggressive filters block more mail and send more mail to bulk, while letting less into the inbox. There are also permissive filters that block very little mail and send most mail to the inbox.
That’s a somewhat useful model, but it doesn’t really capture the full complexity of filters. There isn’t just good mail and bad mail. Mail isn’t simply solicited or unsolicited. Filters take into account any number of factors before deciding what to do with mail.
What's going on with your SBL listing?
This popped up on my Facebook memories this morning. I don’t post about client events very often, but given I can’t remember even what client this is, I don’t think I’m revealing too much info.
FB memory from a few years ago.
Help! We're on Spamhaus' list
While trying to figure out what to write today, I checked Facebook. Where I saw a post on the Women of Email group asking for help with a Spamhaus listing. I answered the question. Then realized that was probably useable on the blog. So it’s an impromptu Ask Laura question.
We’re listed on Spamhaus’ list, any advice on how to get off? Our email provider has a plan, just looking for more input.
If you’re on the SBL, there’s a problem (somewhere) with your data collection process. You’re getting addresses that don’t actually belong to your customers / subscribers / whatever.
The fastest way off it to cut WAY back on who you are mailing to. Mail only to addresses you know, for sure, based on activity in the email, want your mail. Then you can start to go through the other addresses and make decisions about how to verify that those addresses belong to the people you think they do.
If you’re at an ESP, do what they tell you to do. Most ESPs have dealt with this before.
One thing to think about, once you get past the crisis stage, is that if you’re on the SBL, it’s likely your delivery is overall pretty bad. These aren’t folks that dramatically list for a single mistake, there’s a pattern. ISPs look at different patterns, but will often find the same answers and delivery will be bad.
It’s important to realize that Spamhaus has 4 or 5 different lists that have different listing criteria. This is for the SBL, there’s also CSS, CBL, PBL, DBL and XBL. They address different problems and have different listing and delisting criteria.
News in the email space
Various things happening in the email space recently that are worth mentioning but don’t have enough to justify a whole blog post.
Verizon announced a new umbrella company for the AOL and Yahoo media properties, including things like Engadget, Huffington Post. Based on the various press articles I’ve seen this doesn’t appear to affect the email handling for either set of domains.
Large companies (un?)knowingly hire spammers
This morning, CSO and MacKeeper published joint articles on a massive data leak from a marketing company. (Update: 2019: both articles are gone, a cached version of the CSOnline link is at https://hackerfall.com/story/the-fall-of-an-empire-spammers-expose-their-entire) This company, River City Media (RCM), failed to put a password on their online backups sometime. This leaked all of the company’s data out to the Internet at large. MacKeeper Security Researcher, Chris Vickery discovered the breach back in December and shared the information with Spamhaus and CSO online.
The group has spent months going through the data from this spammer. As of this morning, the existence of the breach and an overview of the extent of their operation were revealed by CSO and MacKeeper. Additionally, Spamhaus listed the network on the Register of Known Spamming Operations (ROKSO).
There are a couple interesting pieces of this story relevant to legitimate marketers.
The biggest issue is the number of brands who are paying spammers to send mail from them. The CSO article lists just some of the brands that were buying mail services from RCM:
Spamhaus and subscription bombing
Spamhaus released a blog post today discussing the recent subscription bombing: Subscription bombing COI captcha and the next generation of mail bombs.
As I mentioned in my initial posts, this abusive behavior goes beyond spamming. This is using email to harass individuals. Spamhaus even mentions a potential service that can be used to do these kinds of mailbombing.
Things folks need to know is that this is not just about ESPs and commercial mail. One of the big targets was WordPress admin forms. As Spamhaus says:
Spamhaus comments on subscription attack
Steve Linford, CEO of Spamhaus commented on my blog post about the current listings. I’m promoting it here as there is valuable information in it.
Read MoreThe 10 worst …
Spamhaus gave a bunch of us a preview of their new “Top 10 worst” (or should that be bottom 10?) lists at M3AAWG. These lists have now been released to the public.
The categories they’re measuring are:
CBL issues
I started seeing some folks complain about false CBL listings a few hours ago. I’m now seeing the same folks saying the listings are being removed.
The symptoms look similar to what happened in November (mentioned here), but it appears the CBL team are on top of things and are working to rectify things quickly.
What happened with the CBL false listings?
The CBL issued a statement and explanation for the false positives. Copying it here because there doesn’t seem to be a way to link directly to the statement on the CBL front page.
Increase in CBL listings
Update: As of Nov 24, 2015 11:18 Pacific, Spamhaus has rebuilt the zone and removed the broken entries. Expect the new data to propagate in 10 – 15 minutes. Delivery should be back to normal.
The CBL issued a statement, which I reposted for readers that find this post in the future. I think it’s important to remember there is a lot of malicious traffic out there and that malicious traffic affects all of us, even if we never see it.
Original Post from 10am pacific on Nov 24
Mid-morning west coast time, I started seeing an uptick in reports from many ESPs and marketers that they were getting listed on the XBL/CBL. Listings mentioned the kelihos spambot.
Dealing with blocklists, deliverability and abuse people
There are a lot of things all of us in the deliverability, abuse and blocklist space have heard, over and over and over again. They’re so common they’re running jokes in the industry. These phrases are used by spammers, but a lot of non-spammers seem to use them as well.
The most famous is probably “I’m sure they’ll unblock me if I can just explain my business model.” Trust me, the folks blocking your mail don’t want to hear about your business model. They just want you to stop doing whatever it is you’re doing. In fact, I’m one of the few people in the space who actually wants to hear about your business model – so I can help you reach your goals without doing things that get you blocked.
A few months ago, after getting off yet another phone call where I talked clients down from explaining their business model to Spamhaus, I put together list of phrases that senders really shouldn’t use when talking to their ESP, a blocklist provider or an abuse desk. I posted it to a closed list and one of the participants put it together into a bingo card.
A lot of these statements are valid marketing and business statements. But the folks responsible for blocking mail don’t really care. They just want their users to be happy with the mail they receive.
ROKSO lawsuit settled
Earlier this year Ken Magill reported that a judge in the UK was allowing a libel case against Spamhaus to go forward. I thought for sure I’d blogged about the case at the time, but apparently I didn’t.
The short version is that today Spamhaus announced the lawsuit was settled and the complainants paid for Spamhaus’ legal fees.
As with most legal cases the details are complex and convoluted. Let me try to sum up.
Email verification services
Just yesterday a group of delivery folks were discussing email verification services over IRC. We were talking about the pros and cons, when we’d suggest using them, when we wouldn’t, which ones we’ve worked with and what our experiences have been. I’ve been contemplating writing up some of my thoughts about verification services but it’s a post I wanted to spend some time on to really address the good parts and the bad parts of verification services.
Today, Spamhaus beat me to the punch and posted a long article on how they view email verification services. (I know that some Spamhaus folks are part of that IRC channel, but I don’t think anyone was around for the discussion we had yesterday.)
It’s well worth a read for anyone who wants some insight into how email verification is viewed by Spamhaus. Their viewpoints are pretty consistent with what I’ve heard from various ISP representatives as well.
In terms of my own thoughts on verification services, I think it’s important to remember that the bulk of the verification services only verify that an address is deliverable. The services do not verify that the address belongs to the person who input it into a form. The services do not verify that an address matches a purchased profile. The services do not verify that the recipient wants email from the senders.
Some of the services claim they remove spamtraps, but their knowledge of spamtraps is limited. Yes, stick around this industry long enough and you’ll identify different spamtraps, and even spamtrap domains. I could probably rattle off a few dozen traps if pressed, but that’s not going to be enough to protect any sender from significant problems.
Some services can be used for real time verification, and that is a place where I think verification can be useful. But I also know there are a number of creative ways to do verification that also check things like permission and data validity.
From an ESP perspective, verification services remove bounces. This means that ESPs have less data to apply to compliance decisions. Bounce rate, particularly for new lists, tells the ESP a lot about the health of the mailing list. Without that, they are mostly relying on complaint data to determine if a customer is following the AUP.
Spamhaus talks about what practices verification services should adopt in order to be above board. They mention actions like clearly identifying their IPs and domains, not switching IPs to avoid blocks and not using dozens or hundreds of IPs. I fully support these recommendations.
Email verification services do provide some benefit to some senders. I can’t help feeling, though, that their main benefit is simply lowering bounce rates and not actually improving the quality of their customers’ signup processes.
Brief DBL false positive
A code glitch in a new DBL sub-zone known as 'Abused-Legit' caused the new Abused-Legit zone to list ".net." for 60 minutes from 08:35 UTC.
Read More
The true facts of spam traps and typo traps
I’m seeing an increase in the number of articles stating wildly wrong things about spam traps. Some have started claiming that typo traps are new. Or that typo traps are newly used by Spamhaus. These claims make for great copy, I guess. Wild claims about how the evil anti-commerce self-appointed internet police are actively trying to trap marketers get clicks. These claims also reinforce the martyr complex some senders have and gives them something to commiserate about over drinks at the next email conference.
I strongly recommend ignoring any article that claims Spamhaus started using typo traps in December 2012. In fact, you can immediately dismiss absolutely everything they have to say. They are wrong and have proven they can’t be bothered to do any fact checking.
I can’t figure out why so many people repeat the same false statements over and over and over again. They’re wrong, and no amount of explaining the truth seems to make any difference. I went looking for evidence.
First, I asked on Facebook. A bunch of my contacts on Facebook have have been running spam traps for a long time. Multiple people commented that they, personally, have been using typos to track spam since the late ’90s. These typos were on both the right hand side of the @ sign (the domain side) but also on the left hand side of the @ sign (the username).
Then, I looked through my archives of one of the anti-spam mailing lists and I see a Spamhaus volunteer mentioning that he had already been using typo traps in 2007. I asked him about this and he pointed out these are some of his older traps and had been around for many years before that mention.
Of course, we’ve written about typo domains used by an anti-spam group to catch spam.
The truth is, typo traps are not new and they’re not a new set of traps for Spamhaus. I’ve talked about traps over and over again. But I’m seeing more and more articles pop up that make verifiably wrong statements about spam traps. Here are a few facts about spam traps.
Spamhaus on ESPs
Promoted from yesterday’s comments, Spamhaus comments on my discussion of filtering companies getting tired of ESPs.
You hit the nail square on, Laura.
As Laura knows but many here might not, I am with the Spamhaus project. At one time I was leading efforts to clean up ESP spam. I am not deeply involved with ESP listings any longer. I can however testify that ESPs ask Spamhaus volunteers for a great deal of information about their SBL listings, considerably more than most ISPs or web hosting companies. Certain team members avoid ESP listings except in extreme cases because they don’t want to spend that much time on one SBL.
Whilst I was doing many ESP listings, I attempted to provide requested information, often at great length, with mixed results. In one notable case, an ESP that I provided with a report on hits from that ESP’s IPs on our spamtraps took that report and turned around their entire business. They had been an average ESP: not worse than most ESPs, but not better either. It’s been about three years now. This ESP is now in any list of the least spam-friendly two or three ESPs in the business. I’m honored to have been able to contribute to that change, am delighted at the results, and have learned a great deal from that ESP’s abuse team, which is superb.
That hasn’t happened often, though. I’ve provided similar reports to a number of other ESPs; I try not to play favorites. It is Spamhaus policy not to treat ISPs, ESPs, web hosts, and others whose IPs are listed for spamming differently except based upon our observations of which responds to spam issues effectively and which do not. I would also rather see a spam problem fixed than a spammer terminated just to move somewhere else and continue to spam.
The spam flow from many ESP customers that I reported to the ESP dropped, then slowly rose to previous and often higher levels. There are strings of SBL listings as a spam problem is mitigated, then inexplicably (according to the ESP) comes back. I do not find most of those recurrences inexplicable. I conclude, in many cases, that the ESP is unwilling to do the proactive work necessary to catch most spam before it leaves their IPs, even when they know what needs to be done.
To make matters clear, the ESP representatives that I communicate with are not usually to blame for this problem. Their managers and the policymakers at the ESP are to blame. The decisionmakers at the ESP are not willing to require paying customers to adhere to proper bulk email practices and standards and enforce permanent sanctions against most who fail to do so.
Granted, some customers resist not because they are deliberately spamming non-opt-in email addresses, but because they think that quantity (of email) is more important than quality. Such customers don’t want to see lists shrink even when those lists are comprised largely of non-responsive deadwood email addresses. Such customers send a great deal of spam and annoy a great many of our users, who really do not care whether the spam problem is due to carelessness or deliberate action.
In other cases, of course, ESP customers resist following best practices because they cannot. They are mailing email appended and purchased lists. If they don’t maintain some sort of plausible deniability about the sources of those lists, they know that we will list their IPs (at the ESP and elsewhere) and refuse to remove those listings til they do.
In either case, an ESP that is unwilling to impose sanctions on customers whose lists persist in hitting large numbers of spamtraps after repeated mitigation attempts needs to fire those customers. Otherwise it is failing to act as a legitimate bulk emailer. Such ESPs must expect to see their IPs blocked or filtered heavily because they deliver such large quantities of spam compared to solicited email.
ROKSO
ROKSO is the Register of Known Spamming Operations. It is a list of groups that have been disconnected from more than 3 different networks for spamming. ROKSO is a little bit different than most of the Spamhaus lists. The listings themselves talk more about the background of the listees and less about the specific emails that are the problem.
Many ISPs and ESPs use ROKSO during customer vetting processes.
Networks can be listed on ROKSO without any mail being sent from those networks. These listings are as much about just categorizing and recording associated networks as they are about blocking spam.
Spamhaus does not accept delisting requests for ROKSO records. In order to be delisted from ROKSO there must be a 6 month period with no spam traceable to the ROKSO entity. After that 6 months the listee can petition for a review of the record. If the spam has stopped their record is retired.
In my experience there is often a lot of research put into each ROKSO record and not all that information is made public.
The only time a record is changed is if Spamhaus is convinced they made a mistake. This does happen, but it’s not that common. Given the amount of research that goes into a ROKSO record, there is a fairly high burden of proof to demonstrate that the information is actually incorrect.
It is possible to get delisted off ROKSO. In all of the cases I know about, the listed entity either got out of email altogether or they radically changed their business model.
Open relays
Spamhaus wrote about the return of open relays yesterday. What they’re seeing today matches what I see: there is fairly consistent abuse of open relays to send spam. As spam problems go it’s not as serious as compromised machines or abuse-tolerant ESPs / ISPs/ freemail providers – either in terms of volume or user inbox experience – but it’s definitely part of the problem.
I’m not sure how much of a new problem it is, though.
Spammers scan the ‘net for mailservers and attempt to relay email through them back to email addresses they control. Any mail that’s delivered is a sign of an open relay. They typically put the IP address of the mailserver they connected to in the subject line of the email, making it easy for them to mechanically extract a list of open relays.
We run some honeypots that will accept and log any transaction, which looks just like an open relay to spammers other than not actually relaying any email. They let us see what’s going on. Here’s a fairly typical recent relay attempt:
ISP Relationships
Delivra has a new whitepaper written by Ken Magill talking about the value (or lack thereof) of relationships with ISPs. In Ken’s understated way, he calls baloney on ESPs that claim they have great delivery because they have good relationships with ISPs.
He’s right.
I get a lot of calls from potential clients and some calls from current clients asking me if I can contact an ISP on their behalf and “tell the ISP we’re really not a spammer”. My normal answer is that I can, but that there isn’t a place in the spam filtering process for “sender has hired Laura and she says they’re not a spammer.” I mean, it would be totally awesome if that was the case. But it’s not. It’s even the case where I’m close friends with folks inside the ISPs.
I’m pretty sure I’ve told the story before about being at a party with one of the Hotmail ISP folks. There was a sender that had hired me to deal with some Hotmail issues and I’d been working with Barry H. (name changed, and he’s not at Hotmail any more) to resolve it. During the course of the party, we started talking shop. Barry told me that he was sure that my client was sending opt-in mail, but that his users were not reacting well for it. He also told me there was no way he could override the filters because there wasn’t really a place for him to interfere in the filtering.
Even when folks inside the ISPs were willing and able to help me, they usually wouldn’t do so just because I asked. They might look at a sender on my request, but they wouldn’t adjust filters unless the sender met their standards.
These days? ISPs are cutting their non-income producing departments to the bone, and “sender services” is high up the list of departments to cut. Most of the folks I know have moved on from the ISP to the ESP side. Ken mentions one ISP rep that is now working for a sender. I actually know of 3, and those are just employees from the top few ISPs who are now at fairly major ESPs. I’m sure there are a lot more than that.
The reality is, you can have the best relationships in the world with ISPs, but that won’t get bad mail into the inbox. Filters don’t work that way anymore. That doesn’t mean relationships are useless, though. Having relationships at ISPs can get information that can shorten the process of fixing the issue. If an ISP says “you are blocked because you’re hitting spam traps” then we do data hygiene. If the ISP says “you’re sending mail linking to a blocked website” then we stop linking to that website.
I have a very minor quibble with one thing Ken said, though. He says “no one has a relationship with Spamhaus volunteer, they’re all anonymous.” This isn’t exactly true. Spamhaus volunteers do reveal themselves. Some of them go around openly at MAAWG with nametags and affiliations. A couple of them are colleagues from my early MAPS days. Other do keep their identities secret, but will reveal them to people they trust to keep those identities secret. Or who they think have already figured it out. There was one drunken evening at MAAWG where the nice gentleman I was joking with leaned over and says “You know I am elided from Spamhaus, right?” Uh. No? I didn’t. I do now!
But even though I have the semi-mythical personal relationship with folks from Spamhaus, it doesn’t mean my clients get preferential treatment. My clients get good advice, because I know what Spamhaus is looking for and can translate their requirements into solid action steps for the client to perform. But I can think of half a dozen ESP delivery folks that have the same sorts of relationships with Spamhaus volunteers.
Overall, relationships are valuable, but they are not sufficient to fix inbox delivery problems.
Spamhaus answers marketer questions
A few months ago, Ken Magill asked marketers, including the folks at Only Influencers to provide him with questions to pass along to Spamhaus. Spamhaus answered the first set in March, but then were hit with the Stophaus attack and put answering further questions on hold. Last week, they provided a second set of answers and this week they provided a third.
Nothing in there is surprising, but it’s worth folks heading over and reading.
There are a couple useful things that I think are worth highlighting.
When discussing spamtraps and how Spamhaus handles the traps.
Fake DNSBLs
Spamhaus recently announced a few years ago that they have discovered a company that is pirating various blocklists, relabeling them and selling access to them. Not only is the company distributing the zones, they’re also running a “pay to delist” scheme whereby senders are told if they pay money, they’ll be removed from the lists.
The fake company does remove the listing from the fake zones, but does nothing to remove the IP from the original sender. This company has been caught in the past and was blocked from downloading Spamhaus hosted zones in the past, but have apparently worked around the blocks and are continuing to pirate the zone data.
It’s not clear how many customers the blocklist has, although one ESP rep told me they were seeing bounces referencing nszones.com at some typo domains.
No legitimate DNSBL charges for delisting. While I, and other people, do consult for senders listed on the major blocklists, this is not a pay for removal. What I do is act as a mediator and translator, helping senders understand what they need to do to get delisted and communicating that back to the blocklist. I work with senders to identify good, clean addresses, bad address segments and then suggest appropriate ways to comply with the blocklist requirements.
What is a dot-zero listing?
Some email blacklists focus solely on allowing their users to block mail from problematic sources. Others aim to reduce the amount of bad mail sent and prefer senders clean up their practices, rather than just blocking them wholesale. The Spamhaus SBL is one of the second type, using listings both to block mail permanently from irredeemable spammers and as short term encouragement for a sender to fix their practices.
All a blacklists infrastructure – and the infrastructure of related companies, such as reputation monitoring services – is based on identifying senders by their IP addresses and recording their misbehaviour as records associated with those IP addresses. For example, one test entry for the SBL is the IP address 192.203.178.107, and the associated record is SBL230. Because of that they tend not to have a good way to deal with entities that aren’t associated with an IP address range.
Sometimes a blacklist operator would like put a sender on notice that the mail they’re emitting is a problem, and that they should take steps to fix that, but they don’t want to actually block that senders mail immediately. How to do that, within the constraints of the IP address based blacklist infrastructure?
IP addresses are assigned to users in contiguous blocks and there’s always a few wasted, as you can’t use the first or last addresses in that range (for technical / historical reasons). Our main network consists of 128 IP addresses, 184.105.179.128 to 184.105.179.255, but we can’t put servers on 184.105.179.128 (as it’s our router) or 184.105.179.255 (as it’s the “broadcast address” for our subnet).
So if Spamhaus wanted to warn us that we were in danger of having our mail blocked, they could fire a shot across our bow without risk of blocking any mail right now by listing the first address in our subnet – 184.105.179.128 – knowing that we don’t have a server running on that address.
For any organization with more than 128 IP addresses – which includes pretty much all ISPs and ESPs – IP addresses are assigned such that the first IP address in the range ends in a zero, so that warning listing will be for an address “x.y.z.0” – it’s a dot-zero listing.
Arrest made in Spamhaus dDOS
According to a press release by the Openbaar Ministerie (the Public Prosecution Office), a dutch man with the initials SK has been arrested in Spain (English translation) for the dDOS attacks on Spamhaus. Authorities in Spain have searched the house where SK was staying and seized electronic devices including computers and mobile phones.
Brian Krebs has more, including multiple sources that identify SK as Sven Olaf Kamphuis. Sven Olaf Kamphuis was quoted in many articles about the dDOS, including the NY Times and various reports by Ken Magill.
ETA: Spamhaus thanks the LEOs involved in the arrest.
More on the attack against Spamhaus and how you can help
While much of the attack against Spamhaus has been mitigated and their services and websites are currently up, the attack is still ongoing. This is the biggest denial of service attack in history, with as much as 300 gigabits per second hitting Spamhaus servers and their upstream links.
This traffic is so massive, that it’s actually affecting the Internet and web surfers in some parts of the world are seeing network slowdown because of this.
While I know that some of you may be cheering at the idea that Spamhaus is “paying” for their actions, this does not put you on the side of the good. Spamhaus’ actions are legal. The actions of the attackers are clearly illegal. Not only is the attack itself illegal, but many of the sites hosted by the purported source of the attacks provide criminal services.
By cheering for and supporting the attackers, you are supporting criminals.
Anyone who thinks that an appropriate response to a Spamhaus listing is an attack on the very structure of the Internet is one of the bad guys.
You can help, though. This attack is due to open DNS resolvers which are reflecting and amplifying traffic from the attackers. Talk to your IT group. Make sure your resolvers aren’t open and if they are, get them closed. The Open Resolver Project published its list of open resolvers in an effort to shut them down.
Here are some resources for the technical folks.
Open Resolver Project
Closing your resolver by Team Cymru
BCP 38 from the IETF
Ratelimiting DNS
News Articles (some linked above, some coming out after I posted this)
NY Times
BBC News
Cloudflare update
Spamhaus dDOS grows to Internet Threatening Size
Cyber-attack on Spamhaus slows down the internet
Cyberattack on anti-spam group Spamhaus has ripple effects
Biggest DDoS Attack Ever Hits Internet
Spamhaus accuses Cyberbunker of massive cyberattack
Spamhaus answers questions
Lost in all of the DOS attack news this week is that the first installment of Spamhaus answering questions from marketers in Ken Magill’s newsletter.
It’s well worth a read for anyone who is interested in hearing directly from Spamhaus.
One quote stood out for me, and it really sums up how I try to work with clients and their email programs.
CBL website and email back on line
The CBL website is back on line.
It’s possible that your local DNS resolver has old values for it cached. If so, and if you can’t flush your local DNS cache, and you really can’t wait until DNS has been updated then you may be able to put a temporary entry in your hosts file to point to cbl.abuseat.org.
You can get the IP address you need to add by querying the nameserver at ns-2038.awsdns-62.co.uk for cbl.abuseat.org. No, I’m not going to tell you the IP address – if you can’t do a basic DNS query, you shouldn’t be modifying your hosts file and you can just wait a day.
dDOS spreads to the CBL
Spamhaus has mostly mitigated the dDOS against the Spamhaus website and mailserver, but now the CBL is under attack. They have been working to get that under protection as well, but it’s taking some time.
Right now there are no public channels for delisting from the CBL. The Spamhaus Blog will be updated as things change, and I’ll try and keep things updated here as well.
UPDATE: Cloudflare talks about the scope of the attack
Spamhaus under major dDOS
Late last night I, and a number of other folks, received mail from Spamhaus informing us of a major denial of service attack against their servers. The attack is so bad that the website and main mailserver is currently offline.
DNS services, including rsync and the mirrors, are up and running.
Spamhaus is working to bring the mailserver and website back up, and are hoping to have it up later today.
If there are any critical or particularly urgent SBL issues today, contact your ESP delivery team. The folks who were contacted do have an email address for urgent issues. This is not an address for routine queries, however, and most listees are going to have to wait until normal services are restored to have their listing addressed.
If there is something particularly urgent and your ESP or delivery team does not have a contact address, you can contact me an I can see what I can do.
UPDATE: Most of the IPs people have sent me are actually XBL/CBL listings. But right now the CBL webserver is responding slowly due to the DOS.
If you want to look up a listing without using the Spamhaus website you can use the “host” or “dig” command line tools. To do this reverse the digits in the IP address and append zen.spamhaus.org on the end.
So for the IP 10.11.12.13 you would query 13.12.11.10.zen.spamhaus.org
The 5 stages of a Spamhaus listing
Courtesy of Spencer over at Experian.
The 5 Stages of Recovery
Questions about Spamhaus
I have gotten a lot of questions about Spamhaus since I’ve been talking about them on the blog and on various mailing lists. Those questions can be condensed and summed up into a single thought.
Read MoreSpamhaus Speaks
There’s been a lot of discussion about Spamhaus, spam traps, and blocking. Today, Spamhaus rep Denny Watson posted on the Spamhaus blog about some of the recent large retailer listings. He provides us with some very useful information about how Spamhaus works, and gives 3 case studies of recent listings specifically for transactional messages to traps.
The whole thing is well worth a read, and I strongly encourage you to check out the whole thing.
There are a couple things mentioned in the blog that I think deserve some special attention, though.
Not all spam traps actually accept mail. In fact, in all of the 3 case studies, mail was rejected during the SMTP transaction. This did not stop the senders from continuing to attempt to mail to that address, though. I’ve heard over and over again from senders that the “problem” is that spamtrap addresses actually accept mail. If they would just bounce the messages then there would be no problem. This is clearly untrue when we actually look at the data. All of the companies mentioned are large brick and mortar retailers in the Fortune 200. These are not small or dumb outfits. Still, they have massive problems in their mail programs that mean they continue to send to addresses that bounce and have always bounced.
Listings require multiple hits and ongoing evidence of problems. None of the retailers mentioned in the case studies had a single trap hit. No, they had ongoing and repeated trap hits even after mail was rejected. Another thing senders tell me is that it’s unfair that they’re listed because of “one mistake” or “one trap hit.” The reality is a little different, though. These retailers are listed because they have horrible data hygiene and continually mail to addresses that simply don’t exist. If these retailers were to do one-and-out or even three-and-out then they wouldn’t be listed on the SBL. Denny even says that in the blog post.
Another one bites the dust
NASK (the Polish domain registry) has taken over a number of domain names used in spreading viruses and infections.
Read MoreConfirming addresses for transactional mail
A colleague was asking about confirming transactional mail today. It seems a couple of big retailers got SBLed today for sending receipts to spamtraps. I talked a few weeks ago about why it’s important to let people unsubscribe from transactional email, and many of those same things apply to confirming receipts.
Read MoreIs Spamhaus still relevant?
Today’s Wednesday question comes from a recent discussion on the Only Influencers mailing list. One of the participants asked “Is Spamhaus relevant and necessary? Are they willing to work with marketers?”
Read MoreWhat causes Spamhaus CSS listings
Today’s Wednesday Question comes from Zaib F.
What causes the Spamhaus CSS listing in your experience other than Sender using multiple sets of IPs, to look as if they are a valid sender. Do you think a Spamtrap plays a role?
Read More
Links: September 24, 2012
Last week Return Path announce a new set of email intelligence products. One of their new products offers customers the chance to actually see how (some subset of) their customer base interacts with mail directly. It moves beyond simply looking at probe mailboxes and actually looks inside the mailbox of recipients.
Spamhaus has listed bit.ly on the Domain Blocklist (DBL) for allowing spammers to abuse their redirector service. Spammers have been abusing bit.ly for a while, and I’m a little surprised it’s taken so long for a listing to happen. Steve wrote a post last year about URL redirectors and offered suggestions on what to do to avoid blocking problems when using a URL shortening service.
Real Insights has a very interesting post on why it should be “hard” to subscribe to your mailing list. There are also a number of good suggestions about the subscription process itself. Definitely worth a read.
Questions about CAN SPAM.
In the US, the law governing the sending of commercial email is CAN SPAM. I’ve seen a number of questions about CAN SPAM recently.
One came from twitter, where someone was asking if just having an email address meant permission to send to it. Clearly, just being able to dig up an email address doesn’t imply permission to send marketing or commercial email to it. I can promise you April23@contact.wordtothewise.com did not sign up to receive information on increasing Facebook followers.
CAN SPAM doesn’t prohibit unsolicited email. All it says is that if you send unsolicited email you must do a few things.
Spamhaus dDOS
I got mail late last night from one of the Spamhaus peeps telling me that they were under a distributed Denial of Service (dDOS) attack. This is affecting email. Incoming email is delayed and they’re having difficulty sending outgoing email. This is affecting their responses to delisting queries.
They are working on mitigation and hopefully will be fully up and running soon.
Updates when I get them.
Update (8/29/2012): mail to Spamhaus should be back.
Nameless and faceless
Ken Magill wrote about Spamhaus last week. In the article he commented about the volunteers.
Read MoreSpamhaus changes
A number of ESPs are reporting an increase in SBL listings of big, well known brands. InterestingSBLs seems to confirm this.
Just on the month of June I see tweets reporting SBL listings for: Disney (again, and again) AAA Michigan, NRCC, the Mitt Romney campaign, Macy’s (again) Facebook, Walmart Brazil, Safeway, Bacardi.
What happened? I think there are a number of reasons for an increase in SBL listings of well known brands.
The first is that botnets are rapidly becoming a solved problem. That’s not to say that they’ve gone away, or that we should stop being vigilant about the spam and malicious mail coming out of them, but that there are more and better tools to deal with botnets than there have been in the past. That means that the folks at Spamhaus can look at different classes of unsolicited email.
I believe Spamhaus has some new mail feeds that let them see mail they were previously not seeing. Anyone who has multiple email addresses can tell you that the type of spam that one address gets is often vastly different than the type of mail another email address gets. When dealing with spamtrap feeds, that means that there is unsolicited mail that isn’t seen by the feed. I know there are companies who claim to have lists of hundreds of thousands of spamtraps, and I don’t doubt that some enterprising spammers have discovered Spamhaus spamtraps in the past. Adding new feeds means that Spamhaus will see spam that they were previously missing due to their traps being compromised.
As well as bringing up new feeds, I suspect Spamhaus has better tools to mine the data. This means they can see patterns and problem senders in a clearer way and list those that meet the Spamhaus listing criteria.
I’m not saying the Spamhaus standards have changed. Spamhaus has always said they will list anyone sending unsolicited bulk email. But, as with many organizations what they could do was limited by the available resources. That resource allocation has changed and they can deal with more senders.
What does all this mean for senders? In a perfect world it wouldn’t mean anything. Senders would actually be sending mail only to people who had asked to receive it. Senders would have good list hygiene and pull off abandoned addresses long before they could be turned into spamtraps.
But we all know this isn’t a perfect world. There are a lot of senders that have lists with years of cruft on them. And not all of those addresses on the list actually opted-in to receive that mail. Many of those senders have good stats, decent opens, low unknown user rates, and low complaint rates. But that doesn’t mean there aren’t problems with the lists. And those hidden problems may mean that just because you haven’t had a Spamhaus listing in the past doesn’t mean there isn’t going to be one in your future. It means senders who want to avoid SBL listings need to pay attention to list hygiene and dead addresses. It means the source of addresses and their audit trail is even more important than ever.
Meanwhile, ESPs are struggling to cope with the ongoing and increasing SBL listings.
EDIT: Mickey attributes some of the increase in listings to Spamhaus being better able to detect appended lists.
Dealing with complaints
There are a lot of people who abuse online services and use online services to abuse and harass other people. But handling complaints and handling the abuse are often afterthoughts for many new companies. They don’t think about how to accept and process complaints until they show up. Nor do they think about how bad people can abuse a system before hand.
But dealing with complaints is important and can be complicated. I’ve written many a complaint handling process document over the years, but even I was impressed with the Facebook flowchart that’s been passed around recently.
In the email space, though, all too many companies just shrug off complaints. They don’t really pay attention to what recipients are saying and treat complaints merely as unsubscribe requests. Their whole goal is to keep complaints below the threshold that gets them blocked at ISPs. To be fair, this isn’t as true with ESPs as it is with direct senders, many ESPs pay a lot of attention to complaints and will, in fact, initiate an investigation into a customer’s practice on a report from a trusted complainant.
There are a lot of legitimate email senders out there who value quantity over quality when it comes to complaints. But that doesn’t mean their lists are good or clean or they won’t see delivery problems or SBL listings at some point.
New Spamhaus lists
Spamhaus announced today they are publishing two new BGP feeds: Extended DROP and the Botnet C&C list. These lists are intended for use inside routers in order to stop all traffic to or from listed IP addresses. This is a great way to impact botnet traffic and hopefully will have a significant impact on virus infections and botnet traffic.
In other news I’ve been hearing rumbling about changes at Yahoo. It looks like they have changed their filters and some senders are feeling lots of pain because of it. It looks like senders with low to mid range reputations are most affected and are seeing more and more of their mail hit the bulk folder. This afternoon I’m hearing that some folks are seeing delivery improvements as Yahoo tweaks the changes.
Spamtraps are not the problem
Often clients come to me looking for help “removing spamtraps from their list.” They approach me because they’ve found my blog posts, or because they’ve been recommended by their ISP or ESP or because they found my name on Spamhaus’ website. Generally, their first question is: can you tell us the spamtrap addresses on our lists so we can remove them?
My answer is always the same. I cannot provide a list of spamtrap addresses or tell you what addresses to remove. Instead what I do is help clients work through their email address lists to identify addresses that do not and will not respond to offers. I also will help them identify how those bad addresses were added to the list in the first place.
Spamtraps on a list are not the problem, they’re simply a symptom of the underlying data hygiene problems. Spamtraps are a sign that somehow addresses are getting onto a list without the permission of the address owner. Removing the spamtrap addresses without addressing the underlying flaws in data handling may mean resolving immediate delivery issues, but won’t prevent future problems.
Improving data hygiene, particularly for senders who are having blocking problems due to spam traps, fixes a lot of the delivery issues. Sure, cleaning out the traps removes the immediate blocking issue, but it does nothing to address any other addresses on the list that were added without permission. In fact, many of my clients have discovered an overall improvement in delivery after addressing the underlying issues resulting in spamtraps on their lists.
Focusing on removing spamtraps, rather than looking at improving the overall integrity of data, misses the signal that spamtraps are sending.
Spamhaus rising?
Ken has a good article talking about how many ESPs have tightened their standards recently and are really hounding their customers to stop sending mail recipients don’t want and don’t like. Ken credits much of this change to Spamhaus and their new tools.
Read MoreBiggest botnet takedown to date
Yesterday law enforcement officials arrested 6 people and charged them with running a massive internet fraud ring. Over 4 million PCs were part of the botnet.
According to the FBI
Spammer prosecuted in New Zealand
Today (well, actually tomorrow, but only because New Zealand is on the other side of the date line) the NZ Department of Internal Affairs added a 3rd statement of claim against Brendan Battles and IMG Marketing. This third claim brings the total possible fines to $2.1 million.
Brendan is a long term spammer, who used to be in the US and moved to New Zealand in 2006. His presence in Auckland was noticed by Computerworld when a number of editors and staffers were spammed. When contacted by the paper, Brendan denied being involved in the spam and denied being the same Brendan Battles.
New Zealand anti-spam law went into effect in September 2007. The Unsolicited Electronic Messages Act 2007 prohibits any unsolicited commercial email messages with a New Zealand connection, defined as messages sent to, from or within New Zealand. It also prohibits address harvesting.
The Internal Affairs department also appears to be investigating companies that purchased services from Brendan Battles.
Appeals court rules in e360 v. Spamhaus
On August 30, 2007 I wrote my very first blog post: 7th Circuit court ruling in e360 v. Spamhaus. Today, 4 years later (almost to the day) that case may finally be over.
Read MoreBit.ly gets you Blocked
URL shorteners, like bit.ly, moby.to and tinyurl.com, do three things:
Read Moree360 and the appeals court
Oral arguments in Spamhaus’ appeal were held last week. Mickey blogged about it on Thursday. I heard from him and a bunch of the Spamhaus folks about it at MAAWG, but was busy enough that I didn’t get a chance to listen to it. Mickey is not exaggerating on how badly the judges, particularly Judge Posner, beat up on e360’s lawyer. More quotes are available at Appeals judges berate spammer for “ridiculous,” “incompetent” litigation.
Read MoreWhy is shared hosting like phishing?
A client of a friend was getting rejection messages when they tried to send mail
Read MoreThe dark side of email marketing
Everyone I talk to when dealing with issues inevitably has to tell me they are legitimate email marketers. They’re not spammers, they’re just business people. I often find it difficult to fathom why they need to tell me this. It’s not like email marketers are criminals or anything.
Two recent stories reminded me how evil some folks are. While I’ve not had any direct contact (that I know of) with any of the players on this end of things I have zero doubt that if they called me they would tell me that they were legitimate email marketers.
In one case, a members of a spam gang kidnapped the teenage daughter of someone investigating their activities. The gang held her for more than 5 years in horrific conditions. Yesterday Joseph Menn, author of “Fatal System Error” posted on Boing Boing that his friend got his daughter back. It is a heartbreaking story and incredibly sobering.
In another case, the Russian police arrested a man who ran spammit.com, a clearinghouse for viagra sellers to find spammers to send their mail. Reports say that mail volumes dropped by a fifth after the site was taken offline.
There is real evil in the email marketing industry. Sure, they’re spammers and we can all stand up and say they’re not legitimate. But, this is what the ISPs and Spamhaus and law enforcement are dealing with on a regular basis.
Spamhaus and Gmail
Today’s been chock full of phone calls and dealing with clients, but I did happen to notice a bunch of people having small herds of cows because Spamhaus listed www.gmail.com on the SBL.
“SPAMHAUS BLOCKS GOOGLE!!!” the headlines scream.
My own opinion is that Google doesn’t do enough to police their network and their users, and that a SBL listing isn’t exactly a false positive or Spamhaus overreaching. In this case, though, the headlines and the original article didn’t actually get the story right.
Spamhaus blocked a range of IP addresses that are owned by Google that included the IP for www.gmail.com. This range of IP addresses did not include the gmail outgoing mailservers.
Spamhaus says
Spammer loses in the court of public opinion
Columnist Mike Cassidy of the SJ Mercury News dedicates his column today to explaining how horribly a spammer named Michael Luckman is being treated by Spamhaus.
The gist of the story is that Mr. Luckman thinks that because it is legal to purchase lists and send mail that there is nothing anyone can do to stop him from doing so. Unfortunately for Mr. Luckman, this isn’t actually true. Simply complying with the law does not mean that spamming behaviour has to be tolerated by ISPs. What’s more, ISPs have a lot of power to stop him.
His recipients’ ISPs can stop him. Filtering companies can stop him. And his upstream can stop him. In fact, Mr. Luckman’s upstream is GoDaddy, a company that has an abuse desk that is one of the toughest on the Internet. They do not tolerate spamming at all and will disconnect customers that are spamming whether or not there is a SBL listing involved.
Sure, Mr. Luckman is complying, or says he’s complying, with CAN SPAM. But that doesn’t change the fact that he is violating his contract with GoDaddy. Given that admission, I am extremely surprised that the reporter focused so exclusively on Spamhaus’ role in this, without mentioning GoDaddy’s abuse enforcement or that Mr. Luckman has to comply with contracts he signed.
Most reputable marketers agree that sending mail to purchased email addresses is spam. Most recipients agree that mail they didn’t ask to receive is spam. Even the reporter agrees that Mr. Luckman is a spammer. Compliance with CAN SPAM doesn’t mean anyone is required to accept his mail, nor provide him with a connection to the rest of the internet.
This is a lesson Mr. Luckman is having problems learning. Instead of fixing his process so he isn’t sending spam, he contacts a reporter to plead his case in the court of public opinion. Sadly for him, most people hate spam and won’t defend a self admitted spammer against a blocking group. In fact, over 80% of the people who have voted in the “has Spamhaus gone too far” poll have said no. What’s your vote?
Spamhaus motion to reconsider
A few weeks ago, Spamhaus filed a motion to have the judge reconsider his recent $27,002 award to e360. Their brief hangs on three arguments.
Read MoreGmail and the PBL
Yesterday I wrote about the underlying philosophy of spam filtering and how different places have different philosophies that drive their filtering decisions. That post was actually triggered by a blog post I read where the author was asking why Gmail was using the PBL but instead of rejecting mail from PBL listed hosts they instead accepted and bulkfoldered the mail.
The blog post ends with a question:
Spam lawsuits: new and old
There’s been a bit of court activity related to spam that others have written about and I feel need a mention. I’ve not yet read the papers fully, but hope to get a chance to fully digest them over the weekend.
First is e360 v. Spamhaus. This is the case that actually prompted me to start this blog and my first blog post analyzed the 7th circuit court ruling sending the case back the lower court to determine actual damages. The lower court ruled this week, lowering the judgment to $27,002 against Spamhaus. The judge ruled that there was actual tortuous interference on the part of Spamhaus. In my naive reading of the law, this strikes me as not only an incorrect ruling, but one that ignores previous court decisions affirming that blocklists are protected under Section 230. Venkat seems to agree with me.
News and announcements: March 1, 2010
Some news stories and links today.
Spamhaus has announced their new domain block list (DBL). The DBL is a list of domains that have been found in spam.
Marketing to businesses
“If you do stupid things, you’re going to get blocked,” says Jigsaw CEO Jim Fowler in an interview with Ken Magill earlier this week.
Jigsaw is a company that rewards members to input their valuable business contacts. Once the addresses are input into Jigsaw, they are sold to anyone who wants them. Jigsaw gets the money, the people providing information get… something, the people who provided business cards to Jigsaw members get spammed and the people who downloaded the lists get to deal with a delivery mess. Sounds like a lose for everyone but Jigsaw.
Except that now Jigsaw is listed on the SBL for spam support services. Well, that’s going to cause some business challenges, particularly given how many companies use the SBL as part of their filtering scheme.
It’s hard to think of a situation where I would appreciate someone I gave a business card to providing my information to a site that then turns around and lets anyone download it to send email to. I know, I know, there are a million companies out there I’ve never heard of that have The Product that will Solve All my Problems. But, really, I don’t want them in my work mailbox. The address I give out on my business cards is, for, y’know, people to contact me about what I’m selling or to contact me about things they’ve already purchased from me. That address is not for people to market to. I have other addresses for vendors, and even potential vendors, to contact me.
Jigsaw clearly facilitates spam to businesses by collecting email addresses and then selling them on. This is a drain on small businesses who now have inboxes full of valuable offers to wade through. Perhaps their stint on the SBL will make them reconsider their spam support services.
HT: Al
Yahoo fixed erroneous rejection problem
Yahoo announced over the weekend that they fixed their rejection problem. It may take some time to filter out to all their MTAs, but they do believe the issue is resolved.
Read MoreWinning friends and removing blocks
I do a lot of negotiating with blocklists and ISPs on behalf of my clients and recently was dealing with two incidents. What made this so interesting to me was how differently the clients approached the negotiations.
In one case, a client had a spammer slip onto their system. As a result the client was added to the SBL. The client disconnected the customer, got their IP delisted from the SBL and all was good until the spammer managed to sweet talk the new abuse rep into turning his account back on. Predictably, he started spamming again and the SBL relisted the IP.
My client contacted me and asked me to intercede with Spamhaus. I received a detailed analysis of what happened, how it happened and how they were addressing the issue to prevent it happening in the future. I relayed the info to Spamhaus, the block was lifted and things are all back to normal.
Contrast that with another client dealing with widespread blocking due to a reputation problem. Their approach was to ask the blocking entity which clients they needed to disconnect in order to fix the problem. When the blocking entity responded, the customer disconnected the clients and considered the issue closed. They didn’t look at the underlying issues that caused the reputation problems, nor did they look at how they could prevent this in the future. They didn’t evaluate the customers they disconnected to identify where their processes failed.
The first client took responsibility for their problems, looked at the issues and resolved things without relying on Spamhaus to tell them how to fix things. Even though they had a problem, and is statistically going to have the occasional problem in the future, this interaction was very positive for them. Their reputation with the Spamhaus volunteers is improved because of their actions.
The second client didn’t do any of that. And the people they were dealing with at the blocking entity know it. Their reputation with the people behind the blocking entity was not improved by their actions.
These two clients are quite representative of what I’ve seen over the years. Some senders see blocking as a sign that somehow, somewhere there is a flaw in their process and a sign they need to figure out how to fix it. Others see blocking as an inconvenience. Their only involvement is finding out the minimum they need to do to get unblocked, doing it and then returning to business as usual. Unsurprisingly, the first type of client has a much better delivery rate than the second.
McColo goes offline
Last week a major player in the botnet arena was taken offline when they were shutdown by their upstream provider. With the demise of McColo, there has been a 30 – 50% drop in the amount of spam as measured by any number of different techniques. The CBL team has posted an article about their view of the McColo disconnection, which includes links to press articles about the shutdown. Spamhaus has their own take on the shutdown and another collection of links to articles about the shutdown.
In my own mailbox, I have noticed a drastic decrease in the amount of spam over the last week. I am too jaded to expect that the change is permanent, but it is nice while it lasts.
Email news
ReturnPath sold its email change of address division to Fresh Address and spun off its email marketing division. Full announcement at the RP Blog and a copy of the press release at EmailKarma.
e360 petitioned the court earlier this week to compel Spamhaus to expand on their answers to e360’s interrogatories. Today the court denied the motion. Text of the motion at Mickey’s place.
There has been a noticeable increase in registrar phishing over the last week. This may be related to ICANN de-accrediting ESTHosts, a registrar well known in the anti-spam community for registering domains used in phising and spam. UPDATE from ICANN.
News snapshot
- The judge in e360 v. Spamhaus has denied Spamhaus’ motion for dismissal. However, the judge also ordered that the 16 new witnesses be stricken and capped damages at the original $11.7M. Mickey has the order.
- Tuesday the FTC announced it had shut down a major spamming operation. I am not sure the results are visible yet, yesterday there were 2041 spams in one of my mailboxes yesterday versus 2635 a week ago.
- The FBI announced today it had infiltrated and shut down a international carding ring. While not directly spam related the phishers and carders work together and some of them use spam.
- Rumor has it that many mailers are seeing problems delivering to AOL the last few days. It seems that AOL is making adjustments to their filtering system. As when any ISP changes filter rules and weights, some of the people just skirting by see delivery problems. What people are hearing is that if they are seeing delivery problems at AOL they need to improve their reputation.
- Last week Yahoo had another online workshop with the mail folks. They have published a transcript of the talk. I was at the talk and there were only a couple spam related questions.
donhburger: Why does Yahoo sell our email addresses to spammers?
Read More
YMailRyan: We absolutely don’t sell your addresses to spammers. No IFs, ANDs, or BUTs about it.
imintrouble: My mom keeps emailing em but I never get it and usually it ends up in my spam box. Why? How do I make this stop? She’s getting pissed that I’m not replying.
YMailTeam: Oh no! Be sure your Mom is on your contact list– this should help keep mom out of spam box and put her back into your inbox.
buergej: Just why do I keep receiving the same kind of spam from a series of what appear to be women day after day after day?
YMailCarl: Spam is, unfortunately a constant problem for anyone using email. The reason you are receiving these emails is because spammers have somehow gotten a hold of your email address and are mailing you their lovely messages. There are several things you can do to assist with this. First, continue to report these messages as “Spam” by clicking the button at the top of the email labled “Spam”. Note that you don’t need to actually look at the message to do this. When you report items as spam it lets Yahoo! know that messages originating from that person are likely spam. This not only helps you, but helps other Yahoo! users as well.
YMailCarl: Second, if the emails are from similar names, you can set up filters in your email account to block those names and send them to your trash or spam folder.
YMailCarl: Obviously these messages you are receiving are not from women trying to sell you products personally – the messages are typically generated by a script which will try to forge or “spoof” the originating address.
YMailCarl: We agree that Spam is a serious issue and have many resources dedicated to fighting this problem.
YMailCarl: You can find some additional information about fighting spam here: http://help.yahoo.com/l/us/yahoo/mail/original/abuse/index.html
donhburger: Why when I mark Emails as Spam do I continue to get emils from the same persons?
YMailMaryn: When you mark a message as “spam” from within your Inbox that moves the message to your Spam Folder. And all subsequent messages that are sent from that particular sender will not be delivered to your Inbox, but will be delivered to your Spam Folder.
The dog ate my discovery responses
When we last visited our intrepid litigants, Spamhaus’ lawyers had filed a motion to dismiss citing yet another failure by e360 to meet a court ordered discovery deadline.
Let me set the stage.
e360 misses deadline after deadline during discovery. They skip depositions. They stall and provide incomplete answers weeks or months after they are due. Finally, in mid-July the Spamhaus’ lawyers file a motion for sanctions. The judge, while sounding a bit peeved (as I detailed in my Aug 29 post), gives e360 yet another chance to actually comply with discovery at a July 30 hearing.
And how, how does e360 respond to the taxed patience of the judge? They miss that deadline, too!
With the mid-August discovery deadline missed, Spamhaus’ lawyers file for dismissal. The plaintiffs race to repair the damage and find a scapegoat.
The scapegoat turns out to be Mr. Peters, one of the lawyers working the case. At the July 30 hearing he petitioned the judge to be released from the case as he was leaving Synergy (e360’s law firm). In their response to the motion to dismiss, the lead attorney blames Mr. Peters for the most recent e360 failure to comply with the judge’s ruling. According to the response Mr. Peters was, despite being removed from the case, responsible for complying with the July 30 ruling. Oh, and the mean old Spamhaus attorneys should have known that e360 was going to comply and did not contact Synergy before filing the motion to dismiss and it is just not FAIR, your honor!
With far more patience than I could muster, the judge agrees to a hearing about the motion to dismiss on September 4. At that time, he agrees to allow e360 to file a supplement to their response to the motion to dismiss and gives Spamhaus the opportunity to respond to that supplemental motion.
Wonder of wonders, e360 finally gets their act together and manages to meet a court ordered deadline when they filed their supplemental motion. Not only that, they included answers to the interrogatories sent by Spamhaus almost a year ago. Magically, the amount of damages e360 claims has gone up by an order of magnitude and 16 new people now know about e360’s financials. Too bad that the judge closed discovery on July 30.
e360’s answers included some interesting financial details, including the fact that e360 managed to sue itself out of business. That takes some serious talent. The other fascinating factoid is that a company with gross income of, roughly, 2.7 million dollars over 5 years is worth over 95 million dollars. While they do provide a formula for how they arrived at that figure, I am deeply suspicious of their claims.
Spamhaus’ response is on point and catalogs all the e360 discovery failures. This most recent failure to meet the court’s deadline is only one in a long line of failures. They emphasized the fact that they have petitioned the court four separate times to compel answers from e360. And, really, Judge, how many times do you want us to have to come back and waste everyone’s time pointing out that, yet again, e360 did not do what you told them they had to do?
The judge will be ruling by mail. No more hearings, the man is done with this. One thing that I have wondered about is why he seems to be prolonging the pain. But, the case has already been kicked back to him from the 7th Circuit Court of Appeals and I suspect he is loathe to do anything that might prompt a successful second appeal. Recent transcripts make it clear he is getting quite peeved that this is still on his docket. Really, all e360 had to do was provide the information they used to come up with the original 11M figure when the case was filed. Their reticence and inability to show any documentation on how they came up with that figure suggests that the figure may have been more wishful thinking than a real number.
Garbage in… garbage out
Ken Magill (hereafter known as Mr. Stupid Poopypants) has a follow up article today on his article from last week about the Obama campaign’s mailing practices. While poking Dylan a bit, his message is that marketers really need to look harder at double opt-in.
Read MoreSpamhaus files for dismissal of e360 case
Spamhaus filed a motion today asking the judge to dismiss the e360 v. Spamhaus case for contempt. Mickey, as usual, has the docs up.
I have not posted much on the case recently, as there was only legal wrangling about discovery going on. The biggest problem being that e360 has dragged their feet, stalled and avoided discovery for the last 8 months. They have missed deadlines, turned over incomplete documents and ignored depositions. Since I last wrote about this case, discovery has been extended multiple times, the judge has compelled e360 to turn over docs and information and he sanctioned e360 for their failures to comply.
From my perspective, Spamhaus’ lawyers have been setting the stage for this motion for the last 4 – 5 months. Their interactions with e360’s lawyers, their motions to compel and their motion for sanctions have all formed a narrative of how e360 is stonewalling discovery.
This particular motion is only about 8 pages long, but references a 125 page exhibit. The very large exhibit is mostly documents that have been published before in the “Motion for Various relief due to Persistent Discovery Defaults” filed in July.
In the July motion, Spamhaus’ lawyers detail their repeated efforts to get discovery from e360, and the utter lack of cooperation. One of my favorite bits is that e360 responded (weeks late) to some of the initial interrogatories with (paraphrased), “It is too hard to write all this down, but we will tell you about it in the depositions.” My understanding of the law is that this is, in and of itself, a bit of a no-no. What really puts the icing on the cake, though, is that e360 then skipped 2 properly noticed depositions. They just did not appear, thus making their answers to the interrogatories utterly meaningless.
Spamhaus requested that the Judge impose sanctions on e360 for failing to appear at 2 depositions, not complying with the judge’s previous orders and generally being unable to actually produce any documentation that is complete or on time. Even better, when e360 did manage to produce a thumb drive it contained multiple email conversations between Mr. Linhardt and his lead counsel. This little oops happened because no one at the law firm bothered to actually examine any of the files before handing over the thumb drive. In fact, they only became aware of their error when opposing counsel notified them of the files. When e360 asked for the information back, Spamhaus’ lawyers refused pointing out that they handed over all the information willingly and that their failure to actually examine the files does not constitute an inadvertent disclosure.
The judge did sanction e360, although not with the severity that Spamhaus’ lawyers requested. He also ordered full discovery and documents turned over by August 15th. Based on my reading of the transcript (exhibit 4) the Judge sounds like he is tired of having to tell the e360 lawyers to do their jobs. The judge lectured e360 on their failure to get thing resovled.
Update on Yahoo and the PBL
Last week I requested details about Yahoo rejections for IPs pointing to the PBL when the IP was not on the PBL. A blog reader did provide me with extremely useful logs documenting the problem. Thank you!
Based on my examination of the logs, this appears to be a problem only on some of the Yahoo! MXs. In fact, in the logs I was sent, the email was rejected from 2 machines and then eventually accepted by a third.
I have forwarded those logs onto Yahoo who are looking into the issue. I have also talked with one of the Spamhaus volunteers and Spamhaus is aware of the issue as well.
The right people are looking at the issue and Spamhaus and Yahoo are both working on fixing this.
Thanks for the reports and for the logs.
Yahoo and Spamhaus
Yahoo has updated and modified their postmaster pages. They have also put a lot of work into clarifying their response codes. The changes should help senders identify and troubleshoot problems without relying on individual help from Yahoo.
There is one major change that deserves its own discussion. Yahoo is now using the SBL, XBL and PBL to block connections from listed IP addresses. These are public blocklists run by Spamhaus. Each of them targets a different type of spam source.
The SBL is the blocklist that addresses fixed spam sources. To get listed on the SBL, a sender is sending email to people who have never requested it. Typically, this involves email sent to an address that has not opted in to the email. These addresses, known as spamtraps, are used as sentinel addresses. Any mail sent to them is, by definition, not opt-in. These addresses are never signed up to any email address lists by the person who owns the email address. Spamtraps can get onto a mailing list in a number of different ways, but none of them involve the owner of the address giving the sender permission to email them.
Additionally, the SBL will list spam gangs and spam supporters. Spam supporters include networks that provide services to spammers and do not take prompt action to remove the spammers from their services.
The XBL is a list of IP addresses which appear to be infected with trojans or spamware or can be used by hackers to send spam (open proxies or open relays). This list includes both the CBL and the NJABL open proxy list. The CBL list machines which appear to be infected with spamware or trojans. The CBL works passively, looking only at those machines which actively make connections to CBL detectors. NJABL lists machines that are open proxies and open relays.
The Policy Block List (PBL) is Spamhaus’ newest list. Spamhaus describes this list as
7th circuit court ruling in e360 v. Spamhaus
Mickey has some commentary and the full ruling up on Spamsuite. In short the appeals court affirmed the default judgment, vacated the judgment on damages and remanded the case back to the lower court to determine appropriate damages.
There are a couple bits of the ruling that stand out to me and that I think are worthy of comment.
Spamhaus made a very bad tactical decision by initially answering and then withdrawing that answer. The appeals court ruled that action signaled that Spamhaus waived their right to argue jurisdiction and that they submitted to the jurisdiction of the court. Based on this, the appeals court upheld the default judgment against Spamhaus. Not necessarily the outcome any of us wanted, but that doesn’t set any precedent for future cases unless defendants answer and then withdraw the answer. Specifically on page 12 of the ruling the court says: