Brief DBL false positive


Spamhaus are rolling out a new subzone of the DBL, for domains whose webservers have been compromised and used to host spam landing pages, often via mass compromises of their management control panels. There was a brief mistake that caused all of .net to be listed in the new subzone, meaning that mail sent with URLs in it that used hostnames in .net may have been rejected or spam-foldered by early adopters or careless users of the DBL.
If you’re using one of the reputation services that wraps many different sorts of listing in a single zone, differentiating between different listing reasons by return code, you should be aware of what all the subzones are and what listings of each type mean. Unless the blacklist operator has a published policy about what sort of sublists might be added in the future, you should never configure your mailservers to take action on any returned value, rather you should check for specific return values and ignore any response that you don’t explicitly intend to use.
If your MTA supports it, logging unrecognized responses and alerting based on them is a good idea – both so you know when a new category is added, and so you know if you’ve been blocked from accessing the blacklist, or the blacklist has been shut down and is listing the entire Internet. It’s not unusual for blacklists to see very high query volumes for months or years after they’ve been shut down, presumably from users who are using the data as part of  a scoring system and who haven’t noticed that it’s no longer providing any useful data.
 

Related Posts

ROKSO

ROKSO is the Register of Known Spamming Operations. It is a list of groups that have been disconnected from more than 3 different networks for spamming. ROKSO is a little bit different than most of the Spamhaus lists. The listings themselves talk more about the background of the listees and less about the specific emails that are the problem.
Many ISPs and ESPs use ROKSO during customer vetting processes.
Networks can be listed on ROKSO without any mail being sent from those networks. These listings are as much about just categorizing and recording associated networks as they are about blocking spam.
Spamhaus does not accept delisting requests for ROKSO records. In order to be delisted from ROKSO there must be a 6 month period with no spam traceable to the ROKSO entity. After that 6 months the listee can petition for a review of the record. If the spam has stopped their record is retired.
In my experience there is often a lot of research put into each ROKSO record and not all that information is made public.
The only time a record is changed is if Spamhaus is convinced they made a mistake. This does happen, but it’s not that common. Given the amount of research that goes into a ROKSO record, there is a fairly high burden of proof to demonstrate that the information is actually incorrect.
It is possible to get delisted off ROKSO. In all of the cases I know about, the listed entity either got out of email altogether or they radically changed their business model.

Read More

Bit.ly gets you Blocked

URL shorteners, like bit.ly, moby.to and tinyurl.com, do three things:

Read More

The true facts of spam traps and typo traps

I’m seeing an increase in the number of articles stating wildly wrong things about spam traps. Some have started claiming that typo traps are new. Or that typo traps are newly used by Spamhaus. These claims make for great copy, I guess. Wild claims about how the evil anti-commerce self-appointed internet police are actively trying to trap marketers get clicks. These claims also reinforce the martyr complex some senders have and gives them something to commiserate about over drinks at the next email conference.
I strongly recommend ignoring any article that claims Spamhaus started using typo traps in December 2012. In fact, you can immediately dismiss absolutely everything they have to say. They are wrong and have proven they can’t be bothered to do any fact checking.
I can’t figure out why so many people repeat the same false statements over and over and over again. They’re wrong, and no amount of explaining the truth seems to make any difference. I went looking for evidence.
First, I asked on Facebook. A bunch of my contacts on Facebook have have been running spam traps for a long time. Multiple people commented that they, personally, have been using typos to track spam since the late ’90s. These typos were on both the right hand side of the @ sign (the domain side) but also on the left hand side of the @ sign (the username).
Then, I looked through my archives of one of the anti-spam mailing lists and I see a Spamhaus volunteer mentioning that he had already been using typo traps in 2007.  I asked him about this and he pointed out these are some of his older traps and had been around for many years before that mention. 
Of course, we’ve written about typo domains used by an anti-spam group to catch spam.
The truth is, typo traps are not new and they’re not a new set of traps for Spamhaus. I’ve talked about traps over and over again. But I’m seeing more and more articles pop up that make verifiably wrong statements about spam traps. Here are a few facts about spam traps.
 

Read More