Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Spamhaus is at it again.
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Spamhaus is at it again.

MaouniqueMaounique Host Rep, Veteran
edited February 2014 in General

http://www.spamhaus.org/sbl/query/SBL214350
Bam, the whole /16 is blacklisted. Maybe people will start reconsider using Spamhaus?

I mean, this will keep happening, more and more people will rent PI space and some will end up in ASNs of spammers, or some people which will resell, for example servers or VPNs, or VPSes. What happened with blocking by ASN? Is that so hard now? Or Resilans are late with the "cut" for Spamhaus ?

Get IPs from others... Because renumbering is easy and this wont happen again.

Comments

  • "ALLOCATED PI" is an interesting status for the netblock in the RIPE database. How is that even possible?

  • At this rate I expect there to be 3,706,452,992 ipv4 addresses blacklisted by SpamHaus by the end of 2015..
    Anyone want to take this bet?

  • It is apparently not blocked anymore as per that link.

  • Spamhaus hasnt been a reliable service for a decade. The lost their very last credibility when they included an entire domain registry(!) in their list because it didnt delete a domain as requested by Spamhaus. Simple blackmail.

  • nonubynonuby Member
    edited February 2014

    Im mutual on this, spamhaus is draconian in nature, however spam is a very real problem.

    Web hosts particular of the low cost VPS variety arent doing enough to stop spam, is it too much to say okay during a probation period you must relay mail through our special mail relays (some rules on hypervisor that only port 25 traffic to a local smart host with quotas and monitoring etc..) or whitelisted servers (postmark/sendgrid/mandrill/ses/mailjet etc..), after 90 days we'll release the restriction or alternative send us a copy of passport and credit card to expedit the lift.
    This similar policy to redstation http://www.redstation.com/dedicated-server/dedicated-server-faqs - very smart.

  • So once the range gets listed, what exactly is the procedure to remove it?

  • @joelgm said:
    So once the range gets listed, what exactly is the procedure to remove it?

    You have to email Spamhaus letting them know that appropriate action has been taken.

  • @mikeg said:
    You have to email Spamhaus letting them know that appropriate action has been taken.

    And how do they verify that?

  • @joelgm said:

    It is a matter of trust I guess.

    After they remove it, and the exact same notification appears again, then I think you would have more trouble the next time getting it removed.

  • It's not uncommon to get hammered with every IP in a /16. that seems to be why some of these companies exist. I'm all for spamhaus. They are doing a great job.

  • @IndyRadio said:
    It's not uncommon to get hammered with every IP in a /16. that seems to be why some of these companies exist. I'm all for spamhaus. They are doing a great job.

    I agree with you, I have had no bad experiences with them. We get all entries removed very quickly and do not tolerate spammers whatsoever. As we currently don't have our own AS, the notifications go to our DC and they forward them to us to act on.

    If a company continually fails to act on the notifications and sufficient proof has been given for spamming from multiple subnets on their network, it is their own fault that the whole range gets listed.

    Simple solution is to act swiftly if you get a notification and have some decent checks in place to make sure spammers don't slip through the order verification process.

  • MaouniqueMaounique Host Rep, Veteran
    edited February 2014

    @mikeg said:
    Simple solution is to act swiftly if you get a notification and have some decent checks in place to make sure spammers don't slip through the order verification process.

    That is okay as long as you control the range. When you do not, then you have a problem. None of those incidents listed were from our ASN, yet, they blacklisted ours too. They threatened to blacklist the ASN for two incidents in the past, apparently, that is no longer possible and they blacklist the whole range if it is PI, no matter where is split to, if you have bad luck, no problem, you buy from others and then they will get blacklisted too. Renumbering is perfectly fine, once every month or so, we dont want to get bored with the same IPs all the time, isn't it ?

  • perennateperennate Member, Host Rep
    edited February 2014

    mikeg said: If a company continually fails to act on the notifications and sufficient proof has been given for spamming from multiple subnets on their network, it is their own fault that the whole range gets listed.

    Simple solution is to act swiftly if you get a notification and have some decent checks in place to make sure spammers don't slip through the order verification process.

    Nope, even if you act swiftly they still may list your entire range. SpamHaus doesn't care about your business, they only care about the people who sponsor them with money, and that means if they feel bored they may blacklist a /16 that includes you.

    Did you even read the topic?

    Thanked by 2Magiobiwan GM2015
  • nonuby said: Im mutual on this, spamhaus is draconian in nature, however spam is a very real problem.

    I guess this is a problem i dont know if gmail just really god at it but i almost never get any spam in the inboxes i look at its always emails or mailing lists that i have signed up for.

    nonuby said: Web hosts particular of the low cost VPS variety arent doing enough to stop spam, is it too much to say okay during a probation period you must relay mail through our special mail relays (some rules on hypervisor that only port 25 traffic to a local smart host with quotas and monitoring etc..) or whitelisted servers (postmark/sendgrid/mandrill/ses/mailjet etc..), after 90 days we'll release the restriction or alternative send us a copy of passport and credit card to expedit the lift. This similar policy to redstation http://www.redstation.com/dedicated-server/dedicated-server-faqs - very smart.

    I guess something like this could work out in the end i use mandrill since it gives me some stats i know there are many like it i dont have to worry about configuring email ever that way and my code likes it. Its a shame the internet was not setup in away that a provider can get a nice large subnet then slice it into smaller ones but register the slices to there customers so at least its not the whole DC getting black listed but its then one provider and then that provider can slice it up and flag it to one person or domain.

  • MaouniqueMaounique Host Rep, Veteran

    wojons said: Its a shame the internet was not setup in away that a provider can get a nice large subnet then slice it into smaller ones but register the slices to there customers so at least its not the whole DC getting black listed but its then one provider and then that provider can slice it up and flag it to one person or domain.

    Actually, that can be done up to a point but then, who stops DCs to assign "fresh" block to spammers each time they need it (daily) and put the "dirty" ones to "cool off"?
    The blacklisting of providers is legitimate if they do that, however, this is not the case with resilans, you cannot just block a whole /16 because there were a few cases involving a couple of people having a couple of /24s... Spamhaus HAS the ability to block by ASN therefore, they could have blocked the ASN of the perpetrators, case closed. Since they didnt take the easy way this means there is some other motivation involved, probably their need to get a cut from the RIPE IP trading.

    Thanked by 2Infinity fwidell
  • The idea of Spamhaus is not bad at all.

    It is a way to handle things and blocking more than one IP is the only way to pile on the pressure to a provider to stop/change things.

    So if everyone would own his/her ips and all swift information would be correct they should be allowed to block wider rangers.

    But we are not living in an ideal world. So they should cope with that and try to do the best to balance their sword.

  • GoodHostingGoodHosting Member
    edited February 2014

    @wlanboy said:
    So if everyone would own his/her ips and all swift information would be correct they should be allowed to block wider rangers.

    Lots and lots of LowEnd providers do not SWIP IPs or ranges whatsoever, and if someone goes and does it ; children open a thread screaming about their privacy when their friend finds their address on the kid's RSGP IP with IP WHOIS.

    Been down this road, it's much easier to not SWIP anything; and have an internal rWHOIS database that answers up to queries that are done through the right sites (ie: sites that actually query referral, not just RIPE/whatever directly.)

    Luckily, sites that query referral as well are not the first results on Google, so a lot less stupid threads get started here as a result.


    P.S: SpamHaus also doesn't care who the IPs are SWIP'd to, they blacklist the block after a single address had a single email reported as spam, then proceed to blacklist your entire pool of ranges (everything on your Org ID / POC IDs.) It's happened to us three times already.

  • MaouniqueMaounique Host Rep, Veteran
    edited February 2014

    HardCloud said: they blacklist the block after a single address had a single email reported as spam

    Not even that, it seems the guys at the "well known "flooring" scheme" are really behind with their cut, they blacklist for hosting dns too, something you cannot do anything to defend against. 99% of spammers we catch ourselves and with the help of spamcop. Spamhaus is not after spammers, in general, only after some.

  • fwidellfwidell Member
    edited February 2014

    We (as Resilans) actually had several /16's and some /19's in their blocklists, we wrote an incidentreport of the event if you wish to read, in short, a lot of the swedish municipalities and authorities were unable to send or receive email due to Spamhaus erratic behaviour, here's a small list of who were affected: http://webb.resilans.se/documents/spamhaus-incident-20140227-en.pdf

  • blergh_blergh_ Member
    edited February 2014

    @fwidell said:
    We (as Resilans) actually had several /16's and some /19's in their blocklists, we wrote an incidentreport of the event if you wish to read, in short, a lot of the swedish municipalities and authorities were unable to send or receive email due to Spamhaus erratic behaviour, here's a small list of who were affected: http://webb.resilans.se/documents/spamhaus-incident-20140227-en.pdf

    Sad to see, Spamhaus is crazy when it comes to "blocking spam". I've seen similar issues where some websites/activists got blamed for DDoS'ing Spamhaus simply due to them being on the same range/AS as the attack originated from.

    As for Spamhaus - Skit skall skit ha.

  • MaouniqueMaounique Host Rep, Veteran
    edited February 2014

    Boo to the spammers !!!

    Riksrevisionen (The Swedish National Audit)
    Swedish Armed Forces
    Resilans AB Box 45 094, 104 30 Stockholm Telefon: 08 - 688 11 80 Fax: 08 - 55 00 21 63 [email protected]
    Swedish Nuclear Fuel and Waste Management Co, SKB
    Karlstads Kommun (Karlstad municipality)
    Boverket (The National Housing Board)
    Swedish State Power Board (Vattenfall)
    Telefonaktiebolaget LM Ericsson
    Oskarshamns Kommun (Oskarshamns municipality)
    Linkoping University
    Luftfartsverket (The Civil Aviation Administration)
    Lantmateriverket (National Land Survey)
    County Administration of Gothenburg
    Östhammars kommun (Östhammars municipality)
    Länsstyrelsen i Norrbottens lan (County Board of County Norbotten)
    Myndigheten for Samhällsskydd och Beredskap MSB (Authority for Civil Contingencies MSB)
    Täby kommun (Täby municipality)
    Akademiska sjukhuset Uppsala (Uppsala University Hospital)
    Chalmers University of Technology
    Umeå Universitet (Umeå University)
    SUNET (Swedish University NETwork)
    Stockholms Universitet, DSV (Stockholm University)
    D-GIX Service network (NETNOD)
    Royal Institute of Technology
    DNS root name server i.root-servers.net
    Karolinska Institutet
    Saab AB
    Försäkringskassan (Social Insurance Agency)
    Statskontoret (State Treasury)
    Posten (The Swedish postal service)
    Stockholms läns landsting (Stockholm County Council)
    Vårdguiden (Health Care Guide)
    Strålsäkerhetsmyndigheten (the Radiation Safety Authority)
    Örnsköldsviks Kommun (Örnsköldsvik municipality)
    Naturvårdsverket (Environmental Protection Agency)
    AUTONOMICA DNS-services
    IKEA IT AB
    Statens Livsmedelsverk (National Food Administration)
    Dagens Nyheter (Newspaper)
    Vägverket (Swedish Road Administration)
    European Space Agency (ESA)
    Volvo Information Technology
    SAS
    NasdaqOMX
    Aftonbladet (Newspaper)
    NORDUnet
    Spotify Ltd
    Resilans AB
    ftp-archive on SUNET
    Sveriges Riksbank (The Central Bank of Sweden)
    Stadsledningskontoret (The Executive Office)
    Statens Jordbruksverk (Board of Agriculture)

  • IndyRadio said: It's not uncommon to get hammered with every IP in a /16. that seems to be why some of these companies exist. I'm all for spamhaus. They are doing a great job.

    Did you know gullable's not in the dictionary?

Sign In or Register to comment.