Spamhaus and ISP spar over 'email DoS' blacklisting
How the spam row erupted
Analysis Spamhaus and a Dutch ISP that was temporarily slapped on the anti-spam organisation's blacklist continue to be at loggerheads – even after the service provider was removed from the list.
The row between A2B and Spamhaus came after the Dutch ISP allegedly provided connectivity services to CB3ROB (AKA Cyberbunker), an outfit long identified by Spamhaus as a rogue host and included on its Spamhaus Block List (SBL) – which is used by email providers to weed out spam.
Cyberbunker offers anonymous hosting of anything "except child porn and anything related to terrorism", as its terms and conditions proudly proclaim. This almost 'anything goes' classification means spam, phishing site and malware hosting is tolerated.
According to Spamhaus, Cyberbunker has long been a haven for cybercrime and spam. Cyberbunker itself does not respond to complaints. Spamhaus deals with this common situation by adding rogue hosts to its SBL and contacting upstream providers to encourage them to kick bad actors off their network.
After notifying A2B several times about Cyberbunker since June without results, one of A2B's IP ranges was added to the Spamhaus Block List's "providing a spam support service" category. Until Spamhaus finally escalated the SBL listing on 6 October, A2B Internet was also providing connectivity to a Chinese-based rogue host, whose businesses include selling counterfeit watches advertised via spam, according to Spamhaus.
The Spamhaus Project tracks email spammers and spam-related activity. It supplies DNS-based block lists that are used by many ISPs to block traffic from known spammers. A2B was placed on this list for around two days until it stopped handling traffic for Cyberbunker, which is still online but connected via anther provider.
A2B responded to the blacklisting by accusing Spamhaus of acting as internet vigilantes and complaining to the police over alleged extortion. It accuses Spamhaus of placing "disproportionate pressure ... upon us to stop routing for a network without legal cause or reason". It further argues Spamhaus should take up any problem it has with Cyberbunker directly or with the police, not upstream providers.
"The thing is that we are a LIR (Legal Internet Registrant) and we provide transit to other LIRs and ISPs," Erik Bais, a director at A2B Internet told El Reg.
"If Spamhaus is having an issue with something that CB3ROB is doing, they can either take it up with them or if they don't want to, take it up with the police.
"We have acted on the provided abuse message after pushing Spamhaus to provide it, and when they stated that blocking one IP address was not enough and they wanted to see CB3ROB completely removed from our network, it shows exactly how detached from reality they are.
"CB3ROB isn't even a customer of ours, but is rather a customer of Datahouse (who also has their own network and IP addresses) and to move up two ISPs and start complaining there is just insane. On top of that, putting the IPs of that ISP on a blacklist to "make your point" is something I don't have a good word for."
Steve Linford, the Spamhaus founder, defended the blacklisting. "We do not need to 'take it up with the police' every time we encounter a rogue host or spam host, we very simply add them to the SBL," Linford told El Reg. "That is what the SBL is for.
"All of CB3ROB has been on the SBL for some time. There has not been a single complaint from any CB3ROB customer about it, because there are no CB3ROB customers that wish to show their heads above ground to complain," he added.
Linford claimed Bais runs Datahouse, so attempts to push the issue off to that ISP are disingenuous.
Bais countered that Datahouse has outsourced the management of its network to A2B but said that he wasn't employed by Datahouse.
According to Bais, the blacklisting of a range (but not all) of A2B's internet addresses meant that a number of the ISP's customers, including a high street retail chain, were left unable to send email. He compared this to the BlackBerry outage last week.
It is this collateral damage that prompted Bais to file a police complaint against Spamhaus. "I don't want to put Spamhaus out of business or sue it for money but I do want it to change its policies, which are unjust," Bais said. "They are listing innocent addresses that not involved in spamming. What Spamhaus did felt like extortion. A denial of email service."
Bais also disputed Spamhaus's assessment that Cyberbunker is a haven for cybercrime, arguing that it is Chinese-based customers peddling replicas and torrent tracker services, rather anything more unsavoury, that have led to the complaints Spamhaus is pursuing. He claimed that Cyberbunker would respond to requests to take down botnet command-and-control hubs, for example, and would "look at a valid complaint".
Linford argued that A2B's claims on the effect of the temporary blacklisting applied by Spamhaus are exaggerated.
"There was only ever one of A2B's many IP ranges on the SBL, back on October 6, it was 220.127.116.11/21 and it was only on the SBL for 48 hours. To enlarge his story A2B has been saying that 'all' of A2B was on the SBL, which is a lie," Linford said.
"So the current status is that A2B has no SBL listings, the one they had on October 6 lasted only 48 hours and was only a small part of their IP range – not the 'all of A2B' Erik Bais says.
"CB3ROB is still on the SBL and will remain on the SBL for the foreseeable future until we are convinced it would not pose a threat to SBL users to remove it," Linford added.
Bais told El Reg that it had received messages of support from several other ISPs since complaining to Dutch police about Spamhaus. He didn't say how many ISPs had come out in support of A2B's stance but suggested that police complaints against Spamhaus by ISPs in the UK and Switzerland may follow.
Out of line
Linford said most ISPs co-operated with Spamhaus and had no problem with its methods. "We always ask upstreams to stop giving transit to rogue hosts once the host is completely SBL'd. All transit providers have Terms of Service which forbid spam and malware from a downstream and require downstreams to handle complaints promptly. A2B is the only transit provider we know of that also doesn't care what his downstream does."
But what about the Dutch police complaint by A2B?
Spamhaus, at least, is confident nothing will come of it. "As was to be expected, we have not heard a peep from any police about the complaint A2B says it filed," he told El Reg.
Sponsored: 2016 Cyberthreat defense report