Increase in CBL listings

laura
Industry
November 24, 2015

Update: As of Nov 24, 2015 11:18 Pacific, Spamhaus has rebuilt the zone and removed the broken entries. Expect the new data to propagate in 10 – 15 minutes. Delivery should be back to normal.
The CBL issued a statement, which I reposted for readers that find this post in the future. I think it’s important to remember there is a lot of malicious traffic out there and that malicious traffic affects all of us, even if we never see it.
Original Post from 10am pacific on Nov 24

Mid-morning west coast time, I started seeing an uptick in reports from many ESPs and marketers that they were getting listed on the XBL/CBL. Listings mentioned the kelihos spambot.

IP Address 10.10.10.10 is listed in the CBL. It shows signs of being infected with a spam sending trojan, malicious link or some other form of botnet.
It was last detected at 2015-11-24 16:00 GMT (+/- 30 minutes), approximately 2 hours, 30 minutes ago.
This IP is infected (or NATting for a computer that is infected) with the kelihos spambot. In other words, it’s participating in a botnet.
If you simply remove the listing without ensuring that the infection is removed (or the NAT secured), it will probably relist again.

Various folks, including myself, reached out to Spamhaus. As of 10:30 am Pacific time I have confirmation directly from a Spamhaus volunteer that they are aware of the situation and are working to fix it.

What is the CBL?

The CBL is a blocklist designed specifically to pick up botnet infected machines. They monitor a lot of traffic and list IP addresses that exhibit characteristics of botnet infected machines.

What’s that mean in English?

Botnet code has some identifiable issues that lead to being able to identify machines that are infected with that botnet code. The CBL uses these “issues” to identify IP addresses sending botnet email and then lists them on the CBL and the XBL.
One very old example (not botnet, but something similar) is a piece of spamware from the late ’90s that had a broken timezone code – a timezone that did not exist. You could block that spam on the timezone. The CBL blocks on similar characteristics in current mail.

What happened here?

While I don’t have any details, my speculation is that there was a rule that caught a lot of ESP mail that shouldn’t have been caught. The alternative explanation is that a whole bunch of ESPs were simultaneously infected with kelihos. This is extremely unlikely because kelihos is a Microsoft infection and the listed IPs are running other operating systems. So unless there’s been a drastic change in kelihos and there was a coordinated infection against many ESPs, this is a mistake.

What now?

Right now, we wait for Spamhaus to bulk delist the IP addresses. As I said, I’ve personally spoken to one of the volunteers and they are working to resolve the issue. They expect things to be fixed soon (as of 11:10 Pacific).

Dealing with blocklists, deliverability and abuse people

There are a lot of things all of us in the deliverability, abuse and blocklist space have heard, over and over and over again. They’re so common they’re running jokes in the industry. These phrases are used by spammers, but a lot of non-spammers seem to use them as well.
The most famous is probably “I’m sure they’ll unblock me if I can just explain my business model.” Trust me, the folks blocking your mail don’t want to hear about your business model. They just want you to stop doing whatever it is you’re doing. In fact, I’m one of the few people in the space who actually wants to hear about your business model – so I can help you reach your goals without doing things that get you blocked.
A few months ago, after getting off yet another phone call where I talked clients down from explaining their business model to Spamhaus, I put together list of phrases that senders really shouldn’t use when talking to their ESP, a blocklist provider or an abuse desk. I posted it to a closed list and one of the participants put it together into a bingo card.

A lot of these statements are valid marketing and business statements. But the folks responsible for blocking mail don’t really care. They just want their users to be happy with the mail they receive.

Email verification services

Just yesterday a group of delivery folks were discussing email verification services over IRC. We were talking about the pros and cons, when we’d suggest using them, when we wouldn’t, which ones we’ve worked with and what our experiences have been. I’ve been contemplating writing up some of my thoughts about verification services but it’s a post I wanted to spend some time on to really address the good parts and the bad parts of verification services.
Today, Spamhaus beat me to the punch and posted a long article on how they view email verification services. (I know that some Spamhaus folks are part of that IRC channel, but I don’t think anyone was around for the discussion we had yesterday.)
It’s well worth a read for anyone who wants some insight into how email verification is viewed by Spamhaus. Their viewpoints are pretty consistent with what I’ve heard from various ISP representatives as well.
In terms of my own thoughts on verification services, I think it’s important to remember that the bulk of the verification services only verify that an address is deliverable. The services do not verify that the address belongs to the person who input it into a form. The services do not verify that an address matches a purchased profile. The services do not verify that the recipient wants email from the senders.
Some of the services claim they remove spamtraps, but their knowledge of spamtraps is limited. Yes, stick around this industry long enough and you’ll identify different spamtraps, and even spamtrap domains. I could probably rattle off a few dozen traps if pressed, but that’s not going to be enough to protect any sender from significant problems.
Some services can be used for real time verification, and that is a place where I think verification can be useful. But I also know there are a number of creative ways to do verification that also check things like permission and data validity.
From an ESP perspective, verification services remove bounces. This means that ESPs have less data to apply to compliance decisions. Bounce rate, particularly for new lists, tells the ESP a lot about the health of the mailing list. Without that, they are mostly relying on complaint data to determine if a customer is following the AUP.
Spamhaus talks about what practices verification services should adopt in order to be above board. They mention actions like clearly identifying their IPs and domains, not switching IPs to avoid blocks and not using dozens or hundreds of IPs. I fully support these recommendations.
Email verification services do provide some benefit to some senders. I can’t help feeling, though, that their main benefit is simply lowering bounce rates and not actually improving the quality of their customers’ signup processes.

Another one bites the dust

NASK (the Polish domain registry) has taken over a number of domain names used in spreading viruses and infections.