Linux Today: Linux News On Internet Time.

More on LinuxToday

Notes from a Senior Editor: Driving Nails with a Jackhammer

May 01, 2006, 23:30 (37 Talkback[s])
(Other stories by James Turner)

By James Turner
Senior Editor

Why does Spamhaus blacklist innocent mail servers?

By all reasonable standards, I should be the poster boy for the anti-spam movement. I've locked down the mail server for my domain so that only authorized users can send outgoing mail. I've published Sender Policy Framework (SPF) records for my domain, so that people can check if spam using my domain really came from an authorized server. I even operate two honeypots for Project Honeypot (http://www.projecthoneypot.org/).

Why, then, is Spamhaus, a UK-based organization that maintains a blacklist of spam-producing mail servers, listing my server? Not because my server sent any spam, but because I and 126 other innocent people happen to exist in the same IP address range as a real spammer. Rather than blacklist a single IP address, Spamhaus is blacklisting half of a full class C range (128 IP addresses) It's akin to banning an entire street from using the postal system because one homeowner was guilty of mail fraud.

As a result, a lot of my outgoing e-mail has been bouncing back over the last few days. I've contacted my ISP and Spamhaus, but I'm still on day 3 of restricted sending. As a freelance writer, I depend on my email for my livelihood. Thankfully, I've got a gmail account that I can use to get my mail out, but I shouldn't have to go through the pain in the first place.

So why is Spamhaus being so aggressive in their blacklisting? Well, one possibility is that they're idiots, but I tend to discount that idea. I think that they're very savvy. They know that most ISPs are slow to act on reports of spammers. So, blacklist 127 innocent users, who will complain most mightily to the ISP, and suddenly there's no more spammer.

Responding to my questions, Steve Linford of Spamhous states that the entire range was blacklisted because "the spammer is using multiple IPs across and so obviously owns or has hijacked multiple hosts in that range. In such cases we list what we deem necessary to contain the spammer. The spams being sent from that range are phishing spams forging two separate banks. Phishing is a serious crime that needs immediate action to stop thousands of people losing their life savings, its part of our task to quickly stop phishing operations. We do not have the luxury of time permitting us to sit around analyzing each IP in the range to see which others are owned, nor the luxury of the ISP's security departent able to tell us which other IPS the phisher owns. Our priority is to protect our users."

With great power comes great responsibility. Many individuals and corporate entities depend on Spamhaus to protect them from spam. But by blacklisting innocent users, Spamhaus cuts them off from the outside world. Being able to send an email is no longer a luxury, it can be the difference between getting a job and not. Spamhaus needs to clean up their act, and apply the appropriate degree of sanction to each violation. If they don't have the resources to accurately target the offenders, they are doing more harm than good. As the maxim goes, "Better that ten guilty persons escape than that one innocent suffer."

Until then, corporate and organizational admins need to avoid the blacklists like the plague. It's too easy to block vital access to your inbox from customers, because Spamhaus unfairly labeled them a spammer. There are much better anti-spam tools at this point, ones that don't libel the innocent.

Postscript: Monday afternoon, after several calls to my hosting provider, they evidently did whatever was necessary to satisfy Spamhous, and the blacklist was removed. However, this still mean I was unable to send e-Mail to many people I regularly correspond with for most of three days.