Spamhaus and ISP spar over 'email DoS' blacklisting

How the spam row erupted

Choosing a cloud hosting partner with confidence

Analysis Spamhaus and a Dutch ISP that was temporarily slapped on the anti-spam organisation's blacklist continue to be at loggerheads – even after the service provider was removed from the list.

The row between A2B and Spamhaus came after the Dutch ISP allegedly provided connectivity services to CB3ROB (AKA Cyberbunker), an outfit long identified by Spamhaus as a rogue host and included on its Spamhaus Block List (SBL) – which is used by email providers to weed out spam.

Cyberbunker offers anonymous hosting of anything "except child porn and anything related to terrorism", as its terms and conditions proudly proclaim. This almost 'anything goes' classification means spam, phishing site and malware hosting is tolerated.

According to Spamhaus, Cyberbunker has long been a haven for cybercrime and spam. Cyberbunker itself does not respond to complaints. Spamhaus deals with this common situation by adding rogue hosts to its SBL and contacting upstream providers to encourage them to kick bad actors off their network.

After notifying A2B several times about Cyberbunker since June without results, one of A2B's IP ranges was added to the Spamhaus Block List's "providing a spam support service" category. Until Spamhaus finally escalated the SBL listing on 6 October, A2B Internet was also providing connectivity to a Chinese-based rogue host, whose businesses include selling counterfeit watches advertised via spam, according to Spamhaus.

The Spamhaus Project tracks email spammers and spam-related activity. It supplies DNS-based block lists that are used by many ISPs to block traffic from known spammers. A2B was placed on this list for around two days until it stopped handling traffic for Cyberbunker, which is still online but connected via anther provider.

Under pressure

A2B responded to the blacklisting by accusing Spamhaus of acting as internet vigilantes and complaining to the police over alleged extortion. It accuses Spamhaus of placing "disproportionate pressure ... upon us to stop routing for a network without legal cause or reason". It further argues Spamhaus should take up any problem it has with Cyberbunker directly or with the police, not upstream providers.

"The thing is that we are a LIR (Legal Internet Registrant) and we provide transit to other LIRs and ISPs," Erik Bais, a director at A2B Internet told El Reg.

"If Spamhaus is having an issue with something that CB3ROB is doing, they can either take it up with them or if they don't want to, take it up with the police.

"We have acted on the provided abuse message after pushing Spamhaus to provide it, and when they stated that blocking one IP address was not enough and they wanted to see CB3ROB completely removed from our network, it shows exactly how detached from reality they are.

"CB3ROB isn't even a customer of ours, but is rather a customer of Datahouse (who also has their own network and IP addresses) and to move up two ISPs and start complaining there is just insane. On top of that, putting the IPs of that ISP on a blacklist to "make your point" is something I don't have a good word for."

Black sheep

Steve Linford, the Spamhaus founder, defended the blacklisting. "We do not need to 'take it up with the police' every time we encounter a rogue host or spam host, we very simply add them to the SBL," Linford told El Reg. "That is what the SBL is for.

"All of CB3ROB has been on the SBL for some time. There has not been a single complaint from any CB3ROB customer about it, because there are no CB3ROB customers that wish to show their heads above ground to complain," he added.

Linford claimed Bais runs Datahouse, so attempts to push the issue off to that ISP are disingenuous.

Bais countered that Datahouse has outsourced the management of its network to A2B but said that he wasn't employed by Datahouse.

According to Bais, the blacklisting of a range (but not all) of A2B's internet addresses meant that a number of the ISP's customers, including a high street retail chain, were left unable to send email. He compared this to the BlackBerry outage last week.

It is this collateral damage that prompted Bais to file a police complaint against Spamhaus. "I don't want to put Spamhaus out of business or sue it for money but I do want it to change its policies, which are unjust," Bais said. "They are listing innocent addresses that not involved in spamming. What Spamhaus did felt like extortion. A denial of email service."

Bais also disputed Spamhaus's assessment that Cyberbunker is a haven for cybercrime, arguing that it is Chinese-based customers peddling replicas and torrent tracker services, rather anything more unsavoury, that have led to the complaints Spamhaus is pursuing. He claimed that Cyberbunker would respond to requests to take down botnet command-and-control hubs, for example, and would "look at a valid complaint".

Linford argued that A2B's claims on the effect of the temporary blacklisting applied by Spamhaus are exaggerated.

"There was only ever one of A2B's many IP ranges on the SBL, back on October 6, it was and it was only on the SBL for 48 hours. To enlarge his story A2B has been saying that 'all' of A2B was on the SBL, which is a lie," Linford said.

"So the current status is that A2B has no SBL listings, the one they had on October 6 lasted only 48 hours and was only a small part of their IP range – not the 'all of A2B' Erik Bais says.

"CB3ROB is still on the SBL and will remain on the SBL for the foreseeable future until we are convinced it would not pose a threat to SBL users to remove it," Linford added.

Bais told El Reg that it had received messages of support from several other ISPs since complaining to Dutch police about Spamhaus. He didn't say how many ISPs had come out in support of A2B's stance but suggested that police complaints against Spamhaus by ISPs in the UK and Switzerland may follow.

Out of line

Linford said most ISPs co-operated with Spamhaus and had no problem with its methods. "We always ask upstreams to stop giving transit to rogue hosts once the host is completely SBL'd. All transit providers have Terms of Service which forbid spam and malware from a downstream and require downstreams to handle complaints promptly. A2B is the only transit provider we know of that also doesn't care what his downstream does."

Bais said A2B had a "very strict" abuse policy, pointing to favourable listings by independent third-party services to this effect (here and here).

But what about the Dutch police complaint by A2B?

Spamhaus, at least, is confident nothing will come of it. "As was to be expected, we have not heard a peep from any police about the complaint A2B says it filed," he told El Reg.

Both parties have published their radically different take on ongoing events here and here. ®

Beginner's guide to SSL certificates

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
prev story


Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.