All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Spamhaus - Refusing to delist false positives, pompous / rude attitudes, whats your experience?
Keeping this in 'General' so that it may be indexed, but hoping both providers and end-users can chime in with their experiences.
I'll try to keep this short and sticking with the facts only:
On 03/25/2024 we had a customer register a .online domain name. We manually screen and manually process ALL domain orders, to weed out the obvious fraud or phishing ones. This one caught our eye, but only because it appeared to be an obvious joke. Had a chuckle, and approved it. Think like, "howtoscamoldpeople" or something, along those lines. Not trying to imitate a brand or anything of that nature. A name so off the wall that it had to have been a clear joke.
On 03/27/2024 the customer writes in saying that their domain name isn't loading, stating that they suspected DNS issues. I confirmed the domain wasn't resolving, checked our DNS cluster, it appeared there, checked a few other things... After a little review found that the domain had a "serverHold" status. I check our abuse inbox incase we missed something about it, I see nothing. So I check with InternetBS to see if it was held by them, and it was not. Their support directed me to contact Radix, the registry that oversees domain names like .host, .online and some other TLDs you've all have seen.
Radix states there is a Spamhaus listing for the domain for 'phishing'. "Ah, maybe it wasn't a joke afterall" I thought...
So now I dig into this deeper. The domain was hosted on our shared hosting service. I was able to confirm that the domain name had sent zero emails (didn't even have any inboxes created), was literally a single page index.html static site. No images, no sub-dirs. No sub-domains. No hosted scripts. I add the IP and domain to my hosts file for review and it's literally a poorly made static site that reads like a 4Chan user had made it. But as the domain would suggest, the site is literally a joke. Nothing 'phishy' about it. At this point I've reviewed enough to determine with pretty much 100% certainty that the domain was listed by mistake as a false positive, that this is just some misunderstanding and if I ticket in with Spamhaus, after having already written to InternetBS and checked with Radix, that this can all be cleared up.
So, I open a dialogue with Spamhaus... The entire conversation up until now is shown below, with the domain name censored for customer privacy. The conversation begins at the bottom and moves upward.
The conversation with Spamhaus:
I explain to them the situation, let them know we've checked and there doesn't appear to be any issues with the domain, that it's an obvious joke domain, and explained that as a result of this Spamhaus listing it triggers an automated response by Radix to serverHold the domain, removing it from the internet completely. Figured this would result in a, "Thank for writing in, upon review, you appear correct. We've removed the listing, you may need to contact Radix to get the hold lifted but it appears to have been a false positive. Thank you and have a good day." type response. Instead, was met with a "cordial invitation" to "consider the type of customers that you have attracted and the reputation of said domains".
Ok, cool. Yeah, the privacy stuff does attract some questionable orders from time to time but we try to price in a manner that encourages them to just try their luck anywhere else cheaper. Despite that, we still literally check all shared hosting domains against a 88 well maintained RBLs and blacklists (listed below) and Spamhaus' own website reports "No Issue" for our shared hosting IPs, or ASN. We're pretty strict when it comes to spam and phishing, and abusers are kicked to the curb quite promptly.
Blacklists that domains are automatically checked against, with zero reported issues.
0spam-killlist.fusionzero.com
ipbl.zeustracker.abuse.ch
rbl.abuse.ro
spam.dnsbl.anonmails.de
dnsbl.anticaptcha.net
orvedb.aupads.org
rsbl.aupads.org
block.ascams.com
superblock.ascams.com
aspews.ext.sorbs.net
ips.backscatterer.org
b.barracudacentral.org
list.bbfh.org
blackholes.tepucom.nl
netscan.rbl.blockedservers.com
rbl.blockedservers.com
spam.rbl.blockedservers.com
list.blogspambl.com
blacklist.sci.kun.nl
cbl.anti-spam.org.cn
cblplus.anti-spam.org.cn
cblless.anti-spam.org.cn
cdl.anti-spam.org.cn
bogons.cymru.com
v4.fullbogons.cymru.com
rbl.dns-servicios.com
dnsblchile.org
bl.drmx.org
dnsbl.dronebl.org
rbl.fasthosts.co.uk
fnrbl.fast.net
forbidden.icm.edu.pl
black.junkemailfilter.com
dnsbl.cobion.com
spamrbl.imp.ch
wormrbl.imp.ch
rbl.interserver.net
mail-abuse.blacklist.jippg.org
dnsbl.justspam.org
dnsbl.kempt.net
spamlist.or.kr
bl.mailspike.net
z.mailspike.net
bl.mav.com.br
cidr.bl.mcafee.com
images.rbl.msrbl.net
phishing.rbl.msrbl.net
spam.rbl.msrbl.net
relays.nether.net
unsure.nether.net
spam.pedantic.org
psbl.surriel.com
rbl.schulte.org
rbl.realtimeblacklist.com
bl.scientificspam.net
bl.score.senderscore.com
dnsbl.sorbs.net
proxies.dnsbl.sorbs.net
relays.dnsbl.sorbs.net
dul.dnsbl.sorbs.net
zombie.dnsbl.sorbs.net
block.dnsbl.sorbs.net
escalations.dnsbl.sorbs.net
smtp.dnsbl.sorbs.net
socks.dnsbl.sorbs.net
spam.dnsbl.sorbs.net
recent.spam.dnsbl.sorbs.net
new.spam.dnsbl.sorbs.net
backscatter.spameatingmonkey.net
badnets.spameatingmonkey.net
bl.spameatingmonkey.net
netbl.spameatingmonkey.net
bl.spamcop.net
sbl.spamdown.org
spamsources.fabel.dk
bl.suomispam.net
gl.suomispam.net
multi.surbl.org
dnsrbl.swinog.ch
rbl2.triumf.ca
truncate.gbudb.net
dnsbl-0.uceprotect.net
dnsbl-1.uceprotect.net
dnsbl-2.uceprotect.net
dnsbl-3.uceprotect.net
blacklist.woody.ch
db.wpbl.info
bl.blocklist.de
So, the issue is that the entire process is automated. Their bot detected the domain, tossed it on a list, Radix uses that list and issues a, serverHold. Boom, website vanishes from the internet with no real appeal or process to get it delisted.
In continuation to that, Spamhaus, when contacted, says they can't or won't do anything about it, because they have concerns regarding the "quality" of our customers and the domains we host. The tools that THEY offer to the public on their own website report that there are NO issues with our network or domains, and per the ticket they can not or will not share what domains are issues even after we've been expressing a willingness to review and clean up any concerns. We've only had six emails from Spamhaus since 2022, for real issues that were resolved promptly as I recall.
Most blacklists you can just sort of shrug off if they're overly aggressive in their listing, but what do you do when a large, commonly used resource is behaving in such a way? Does this mean anyone can easily get a domain from Radix or other registries with similar policies yeeted from the internet by complaining to Spamhaus?
This doesn't even seem like a new issue. A friend of mine familiar with the issue linked me to this yesterday: https://old.reddit.com/r/msp/comments/1bwyhmr/beware_of_the_xyz_registry/
What other registries like Radix offer TLDs we should now considering dropping support for? For such a low margin item it's not worth the headache to have to fight Spamhaus for delistings on their false positives and try to explain to customers that many 3rd party organizations have unchecked influence on the internet and can behave as activists if they wish to with little recourse.
Comments
There was probably at least 1 email. Otherwise, they won't get the domain name.
1 email is enough for them.
Yeah, i figure the mail wouldn't necessarily have to be sent through the server provided by the shared hosting account. I guess just the domain name appearing in something looking like spam alone could trigger them.
Holy shit. This guy has a MASSIVE ego for someone hiding their full name in support tickets and just putting "R e". It amazes me how people like this get into high positions of power.
Now I understand why email spammers DDoSed Spamhaus. With that big of an ego, you kinda deserve it.
SSL transparency logs exist.
Btw, he is known. 55-60 years old, lives with mom somewhere in Texas.
A lot of companies don't like Spamhaus, but I've personally never had a bad experience with them nor have had any false listings. I've sent them a lot of de-listing requests, never once have been denied, and of course my services attract a lot of bad users just like you since we both accept crypto. Just a downside of doing business and catering to the crypto and "privacy" market.
Wish we could know what the domain is, but of course that won't be possible without a breach of privacy.
Edit - Doesn't mean false listings are not possible. They did blacklist Gmail after all in the past. Just sharing my opinion since you asked.
they are extortionists
Yes, other than this rude person, spamhaus does a great job overall. They can't cover all types of spam, but sometimes help.
This feels like the problem is more that the company that manages .online uses SpamHaus to automatically serverHold domains.
SpamHaus probably just automatically adds domains that could possibly be used for phishing, not only ones that are currently being used for phishing. If someone registered goooogle.com for example as a joke and so you got it delisted because "it won't be used for phishing", then it actually does get used for phishing... That's a problem!
Jokes are nowhere universal, you could imagine someone who doesn't understand English but knows about "Google" might not get the joke but will see the "google" in "googleScam.com" and trust it.
In general, this is the problem of your customer and the .online registry, if they decided that they don't want any domain that could at all be used for phishing then that's their decision to make.
On the other hand the SpamHaus guy has way too big an ego, he could've just explained their philosophy here and closed the ticket.
Consider that the problem isn't fully SH but in fact a TLD that suspends domains based on a third party automated blacklist. I bet the SH guys would agree that's a bit excessive, but who is going to protest being given that kind of power?
I never even knew that was a thing until this thread. It's actually insane that there are no checks.
Imagine relying on HS, what an absolute joke. HS is a great provider for my tyrant list. Fuck em all.
No no, they 100% do not do it... ok 99.99%
Big email providers leak them new senders / ips / domains.
So they have enough data. No need for external databases.
+
Based on my interpretation of the message exchange between you and SH, it seems like the other domains that are hosted on your shared hosting service "triggered" the "bots".
So if you moved/hosted the domain elsewhere, contact them again for removal, do you think they might do it?
terrible customer support on the spamhaus side, indeed.
But the big issue is a registrar who automatically holds a domain that is bot-added to a single blacklist. lol.
drop the registrar.
I was thinking the same thing... they checked his /24's and saw a bunch of crypto phishing domains, and just aren't interested in working with him due to it. It's understandable...
But they asked what these domains might be, to cancel the customers, and didn't get an answer.
I'd rather deal with Spamhaus for listing/delisting compared to Microsoft, but Spamhaus not following their own documentation is really frustrating.
A soon as a service puts more trust in the robots than humans, they become a PITA to deal with.
PM me the list. If nothing is sent to our abuse inbox and none of the current 88 blacklist ALL shared hosting domains are checked against trigger anything, then I don't know what they are.
I asked Spamhaus in the ticket, as their own tools on their site report no issues.
Well, it's usually an uphill battle with SH anyways, and if I were @MannDude, I'd just drop support for all Radix-related TLDs.
Not because they (SH) solely rely on their robots, but it's because they're not willing to work with ISPs to actually look into possible false positives, as seen here.
Update: I've been provided a list via PM. Quite possible these 'crypto scam' domains Spamhaus is referring to was seen on bgp.he.net since they aren't appearing on any blacklists maintained by anyone I've seen.
A bunch of 'wallet' related domains pointing to one of our IPs (VPS range). In that case, that IP hasn't been assigned to any VM in some time. Just some 3rd party DNS provider where all these domains are setup have an A record pointing to that IP, but that IP hasn't been assigned to anything in quite a while.
In another case, dozens of 'wallet' domains point to an active VM. Zero complaints about any of them. For all I know these are officially held 'typo' domains for a large project and not being used for anything malicious. The VM has been active for years and not one single abuse complaint. I'm not going to take action on that when there is nothing to take action on.
Another one seemed more concerning, but also has never generated a complaint. Messaged that user just to let them know if the domain they pointed to their VPS was used for what the domain suggests it may be used for, that it would be against our policy. No other action required because no abuse has actually occurred.
Keep in mind these domains I mention are not registered through us. They're just listed as domains pointing to our network on bpg.he.net, all using 3rd party DNS, etc.
In every case, none of these actually appear on Spamhaus' own website or checker, nor have we ever been officially sent an abuse report from any other 3rd party. These are literally just DNS records that exist and are publicly searchable, that 'look' concerning but have never done anything concerning.
This sort of thing is what I mean when I tell people there is much more to the internet than just hardware and networks. Many 3rd parties can just say, "Well, we don't really like you." and then just do things like this that would prevent access to sites. Meanwhile, no one gets contacted because, well, they don't have to, of course!
Yup, already on it. Removing them now.
This one is concerning...
One could create a few of these domains and just point them at -insert hosting provider- and cause havoc for them when there isn't any actual issues..
I've dealt with this on our network with some outfits, IPs that had never been assigned, at least they were eventually 'fixed' at that time.. Get abuse notifications too, for IPs that have never been assigned.
Yeah, I was just looking there myself and randomly checked a couple of names which appears to be listed in the DBL.
It could be that the bots would only pick them up when the name's FDNS record corresponds with the IP's rDNS record, during that particular time.
Both the domains I checked were listed in SH DBL and they were pointing to the same IP with the IP also having rDNS records of the domains.
Seems they may be checking the unrelated subnets to make their determination.
Shared hosting IPs aren't generating any complaints, nor are the domains hosted on them which is where the domain in question is hosted.
IPs in other subnets contain Tor Exits, VPS users, etc. That's where these 'crypto scam' domains are pointing, even though the ones in particular are explained above. Not generating abuse, or pointing to a VPS IP that isn't even active.
@DP if you don't mind, can you PM me the ones you did find in SH's DBL? Their own website tool when searching our ASN shows a, "No Issues" response. Haven't manually checked IPs at random or random domains pointing to IPs yet.
Your ASN comes up clean, and so does your IPs - at least the ones that I've checked.
Damn, I didn't take note of the domains.
Give me a few minutes to look again and I'll send them over.
Things I have learned:
Spamhaus' search tool is broken. For example, searching for the IP of a shared hosting server will have their tool report, "No issue", but searching for specific domains sharing that IP will show a listing. Their tool says you can search via ASN, but this too returns no results. Either for our ASN or for others.
It appears that almost all of these that I've checked don't even have a site associated with them, and none have appeared in abuse reports. They're just domains with the word 'crypto', 'token', 'wallet', etc in them... Many people buy and sell domain names from domain auctions, many of us do it right here on LowEndTalk for hosting and other related industry domains. This of course occurs in other industries as well. Could they be super sleeper domains that a year from now will awaken? Probably not. More than likely just some crypto-bro bought some domains for fun knowing he can probably sell them later for more than he paid for them.
Still looking more into it and trying to see if there are any real 'problematic' domains or if they're just getting flagged because their system is just too automated and too discriminatory against anything crypto related.
As far as I can see their search works as follows:
You cant enter an ASN with their search and see IP addresses which are listed. For that you will need to iterate through each and every one of your IP addresses and query them individually (or use a tool that does that for you)
Its all kinda dumb and enderstanbly confusing.
Definitely not the only one having issues with Spamhaus
In my personal experience, if a domain name is from RADIX registry and is found in VirusTotal, or Google Safe Browsing, or any popular anti-phishing/spam/fraud database, and if anyone complaints to RADIX, they suspend the domain (serverHold status). I've myself many-a-times complained about such domains and RADIX is quick in suspending them. No need to go to web host, mail provider or domain registrar. Also, RADIX does not sends any email to registrants or registrar about it (that is no warning, etc.) IF that domain is removed from any of those anti-phishing/spam databases (after cleaning up the infected files, or removing flase positive), and the registrant contacts RADIX then they restore the domain.
Get a false detections such as spam email but I never send email and many other falses too.
They are shit database. I think we need to shutdown them for everyone.
They are scammers.
They'll get themselves shut down...
As they continue doing shit as described above, more and more sysadmins stop trusting them, so stop using them, leading to shutdown..