Notes from a Senior Editor: Driving Nails with a Jackhammer

By James Turner
Senior Editor

Why does Spamhaus blacklist innocent mail servers?

By all reasonable standards, I should be the poster boy for the
anti-spam movement. I’ve locked down the mail server for my domain
so that only authorized users can send outgoing mail. I’ve
published Sender Policy Framework (SPF) records for my domain, so
that people can check if spam using my domain really came from an
authorized server. I even operate two honeypots for Project
Honeypot (http://www.projecthoneypot.org/).

Why, then, is Spamhaus, a UK-based organization that maintains a
blacklist of spam-producing mail servers, listing my server? Not
because my server sent any spam, but because I and 126 other
innocent people happen to exist in the same IP address range as a
real spammer. Rather than blacklist a single IP address, Spamhaus
is blacklisting half of a full class C range (128 IP addresses)
It’s akin to banning an entire street from using the postal system
because one homeowner was guilty of mail fraud.

As a result, a lot of my outgoing e-mail has been bouncing back
over the last few days. I’ve contacted my ISP and Spamhaus, but I’m
still on day 3 of restricted sending. As a freelance writer, I
depend on my email for my livelihood. Thankfully, I’ve got a gmail
account that I can use to get my mail out, but I shouldn’t have to
go through the pain in the first place.

So why is Spamhaus being so aggressive in their blacklisting?
Well, one possibility is that they’re idiots, but I tend to
discount that idea. I think that they’re very savvy. They know that
most ISPs are slow to act on reports of spammers. So, blacklist 127
innocent users, who will complain most mightily to the ISP, and
suddenly there’s no more spammer.

Responding to my questions, Steve Linford of Spamhous states
that the entire range was blacklisted because “the spammer is using
multiple IPs across and so obviously owns or has hijacked multiple
hosts in that range. In such cases we list what we deem necessary
to contain the spammer. The spams being sent from that range are
phishing spams forging two separate banks. Phishing is a serious
crime that needs immediate action to stop thousands of people
losing their life savings, its part of our task to quickly stop
phishing operations. We do not have the luxury of time permitting
us to sit around analyzing each IP in the range to see which others
are owned, nor the luxury of the ISP’s security departent able to
tell us which other IPS the phisher owns. Our priority is to
protect our users.”

With great power comes great responsibility. Many individuals
and corporate entities depend on Spamhaus to protect them from
spam. But by blacklisting innocent users, Spamhaus cuts them off
from the outside world. Being able to send an email is no longer a
luxury, it can be the difference between getting a job and not.
Spamhaus needs to clean up their act, and apply the appropriate
degree of sanction to each violation. If they don’t have the
resources to accurately target the offenders, they are doing more
harm than good. As the maxim goes, “Better that ten guilty persons
escape than that one innocent suffer.”

Until then, corporate and organizational admins need to avoid
the blacklists like the plague. It’s too easy to block vital access
to your inbox from customers, because Spamhaus unfairly labeled
them a spammer. There are much better anti-spam tools at this
point, ones that don’t libel the innocent.

Postscript: Monday afternoon, after several
calls to my hosting provider, they evidently did whatever was
necessary to satisfy Spamhous, and the blacklist was removed.
However, this still mean I was unable to send e-Mail to many people
I regularly correspond with for most of three days.