Spamhaus and ISP spar over 'email DoS' blacklisting
How the spam row erupted
Regcast training : Hyper-V 3.0, VM high availability and disaster recovery
Analysis Spamhaus and a Dutch ISP that was temporarily slapped on the anti-spam organisation's blacklist continue to be at loggerheads – even after the service provider was removed from the list.
The row between A2B and Spamhaus came after the Dutch ISP allegedly provided connectivity services to CB3ROB (AKA Cyberbunker), an outfit long identified by Spamhaus as a rogue host and included on its Spamhaus Block List (SBL) – which is used by email providers to weed out spam.
Cyberbunker offers anonymous hosting of anything "except child porn and anything related to terrorism", as its terms and conditions proudly proclaim. This almost 'anything goes' classification means spam, phishing site and malware hosting is tolerated.
According to Spamhaus, Cyberbunker has long been a haven for cybercrime and spam. Cyberbunker itself does not respond to complaints. Spamhaus deals with this common situation by adding rogue hosts to its SBL and contacting upstream providers to encourage them to kick bad actors off their network.
After notifying A2B several times about Cyberbunker since June without results, one of A2B's IP ranges was added to the Spamhaus Block List's "providing a spam support service" category. Until Spamhaus finally escalated the SBL listing on 6 October, A2B Internet was also providing connectivity to a Chinese-based rogue host, whose businesses include selling counterfeit watches advertised via spam, according to Spamhaus.
The Spamhaus Project tracks email spammers and spam-related activity. It supplies DNS-based block lists that are used by many ISPs to block traffic from known spammers. A2B was placed on this list for around two days until it stopped handling traffic for Cyberbunker, which is still online but connected via anther provider.
Under pressure
A2B responded to the blacklisting by accusing Spamhaus of acting as internet vigilantes and complaining to the police over alleged extortion. It accuses Spamhaus of placing "disproportionate pressure ... upon us to stop routing for a network without legal cause or reason". It further argues Spamhaus should take up any problem it has with Cyberbunker directly or with the police, not upstream providers.
"The thing is that we are a LIR (Legal Internet Registrant) and we provide transit to other LIRs and ISPs," Erik Bais, a director at A2B Internet told El Reg.
"If Spamhaus is having an issue with something that CB3ROB is doing, they can either take it up with them or if they don't want to, take it up with the police.
"We have acted on the provided abuse message after pushing Spamhaus to provide it, and when they stated that blocking one IP address was not enough and they wanted to see CB3ROB completely removed from our network, it shows exactly how detached from reality they are.
"CB3ROB isn't even a customer of ours, but is rather a customer of Datahouse (who also has their own network and IP addresses) and to move up two ISPs and start complaining there is just insane. On top of that, putting the IPs of that ISP on a blacklist to "make your point" is something I don't have a good word for."
Black sheep
Steve Linford, the Spamhaus founder, defended the blacklisting. "We do not need to 'take it up with the police' every time we encounter a rogue host or spam host, we very simply add them to the SBL," Linford told El Reg. "That is what the SBL is for.
"All of CB3ROB has been on the SBL for some time. There has not been a single complaint from any CB3ROB customer about it, because there are no CB3ROB customers that wish to show their heads above ground to complain," he added.
Linford claimed Bais runs Datahouse, so attempts to push the issue off to that ISP are disingenuous.
Bais countered that Datahouse has outsourced the management of its network to A2B but said that he wasn't employed by Datahouse.
According to Bais, the blacklisting of a range (but not all) of A2B's internet addresses meant that a number of the ISP's customers, including a high street retail chain, were left unable to send email. He compared this to the BlackBerry outage last week.
It is this collateral damage that prompted Bais to file a police complaint against Spamhaus. "I don't want to put Spamhaus out of business or sue it for money but I do want it to change its policies, which are unjust," Bais said. "They are listing innocent addresses that not involved in spamming. What Spamhaus did felt like extortion. A denial of email service."
Bais also disputed Spamhaus's assessment that Cyberbunker is a haven for cybercrime, arguing that it is Chinese-based customers peddling replicas and torrent tracker services, rather anything more unsavoury, that have led to the complaints Spamhaus is pursuing. He claimed that Cyberbunker would respond to requests to take down botnet command-and-control hubs, for example, and would "look at a valid complaint".
Linford argued that A2B's claims on the effect of the temporary blacklisting applied by Spamhaus are exaggerated.
"There was only ever one of A2B's many IP ranges on the SBL, back on October 6, it was 178.249.152.0/21 and it was only on the SBL for 48 hours. To enlarge his story A2B has been saying that 'all' of A2B was on the SBL, which is a lie," Linford said.
"So the current status is that A2B has no SBL listings, the one they had on October 6 lasted only 48 hours and was only a small part of their IP range – not the 'all of A2B' Erik Bais says.
"CB3ROB is still on the SBL and will remain on the SBL for the foreseeable future until we are convinced it would not pose a threat to SBL users to remove it," Linford added.
Bais told El Reg that it had received messages of support from several other ISPs since complaining to Dutch police about Spamhaus. He didn't say how many ISPs had come out in support of A2B's stance but suggested that police complaints against Spamhaus by ISPs in the UK and Switzerland may follow.
Out of line
Linford said most ISPs co-operated with Spamhaus and had no problem with its methods. "We always ask upstreams to stop giving transit to rogue hosts once the host is completely SBL'd. All transit providers have Terms of Service which forbid spam and malware from a downstream and require downstreams to handle complaints promptly. A2B is the only transit provider we know of that also doesn't care what his downstream does."
Bais said A2B had a "very strict" abuse policy, pointing to favourable listings by independent third-party services to this effect (here and here).
But what about the Dutch police complaint by A2B?
Spamhaus, at least, is confident nothing will come of it. "As was to be expected, we have not heard a peep from any police about the complaint A2B says it filed," he told El Reg.
Both parties have published their radically different take on ongoing events here and here. ®
COMMENTS
Discrepancies
LIR stands for LOCAL internet registry, not LEGAL, and has to do with handing out of address ranges. It doesn't imply providing transit or any other service. Curious that a director of such an outfit doesn't know this.
Spamhaus say they've repeatedly notified them and A2B say they only got one email after asking for it. Time to whip out the evidence. Spamhaus does, as per their published policies, move up (first one, then) two ISPs if the ones below don't react. Again, time to whip out the evidence. Making a point is exactly what spamhaus is about. It is why they only publish blocklists that others to use at their discretion.
This is perfectly reasonable in the cooperative of networks that forms the larger internet. Collateral damage is implied in the escalation policy, but A2B or whoever could've moved the innocents to clean blocks (and if they had run out of addresses, weren't they a LIR?), so it's their failure to care for their network that's gotten them into this. Shoulda moved addresses around, or better yet, not host known spammers. They should have gotten ample advance warning. If not they might have something to take up with spamhaus.
Who else supports A2B's cause? Er, their so-not-a-subsidiary-honest Datahouse is probably one (say hi to the sockpuppet) and well maybe CB3ROB is the other. Though getting classified as "dutch" ought to upset them a bit unless they'll argue that part just happens to not be part of their CYBERBUNKER thing. Wonder what that "strict" policy is. One could speculate, darkly, it's probably very strict on what abuse complaints they'll look at.
I think that spamhaus has the better cards in this, but with the low standards of plod and prosecutors in the Netherlands, if they do manage to get around to this complaint we'll just have to watch what's going to happen.
On the one hand its good that people are fighting spam, and there is a group set-up to handle a coordinated response.
On the other it is frankly terrifying that such a huge amount of power is in the hands of such a small group of vigilantes, who appear to be acting like a bunch of cocks
@ Terry Maguire
>> We use the internet for B2B marketing and were shocked to find that we could be blacklisted without any warnings and only found out via our customers.
Ahh diddums.
Quite frankly, most "marketing" is spam. Apologies if you genuinely only ever send mail to those who genuinely and **knowingly** opted in - if you are then you are in a very very small minority. Note that failing to tick a box, hidden at the bottom of a long form, drawn in pale grey on a slightly paler grey background and labelled with pale grey text, does **NOT** constitute an opt in.
If you were prevented from sending emails because of being on a blacklist then the reason is that the recipients had made policy decisions that they don't want to receive mail from the sort of outfits that find themselves on the blacklist(s) they use. Once you realise that, then your complaint becomes "I couldn't send mail because the recipients didn't want it", and the logical extension of your comments becomes "people shouldn't be allowed to block our emails just because they don't want to receive them".
As an analogy, I'm sure some (for example) minicab outfits have policies about the types of people they want to have in their cars. Some may have a policy not to take bookings from the "rougher end of town" - if that is the case, then your complaint that they won't pick you up is down to you choosing the wrong place to live. The internet is a bit like that - if you make the mistake of setting up office in a rough neighbourhood (ie an ISP that supports spammers) then I'm afraid you'll just have to live with the fact that you won't be able to deal with the people who don't want to deal with email from "the rough end" of the internet.
That is a policy decision made by the people who set up their mail servers. The blacklists simply provide an opinion about any particular bit of the internet. They don't block any mail, and no-one is forced to use them if they don't want to.
I run the mail service for a small ISP/IT services company. Yes we occasionally get blacklisted, and it's almost always because one of our customers has been a d**khead with the stuff they send. However, I find dealing with blacklists a lot easier than dealing with the f***tards at the likes of AOL.
IT infrastructure monitoring strategies
Agentless Backup is Not a Myth
Top 10 SIEM implementer’s checklist
Steps to Take Before Choosing a Business Continuity Partner
Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider
