[63019] in North American Network Operators' Group
RE: Re[2]: williams spamhaus blacklist
daemon@ATHENA.MIT.EDU (netadm)
Thu Sep 25 09:03:29 2003
Date: Thu, 25 Sep 2003 09:02:54 -0400
From: "netadm" <netadm@infolink.com>
To: "Steve Linford" <linford@spamhaus.org>, <nanog@merit.edu>
Errors-To: owner-nanog-outgoing@merit.edu
>> That describes the escalation procedure of SPEWS, but is not at all=20
>> accurate for the SBL, we do not expand listings sideways into=20
>> customer space or block whole ISPs [*].
>>
Mr. Linford's Spamhaus has recently blocked our entire ISP because of 2
entities on our network we are working to terminate (it is a bit more
complicated than simply pulling the plug).
In addition, we have recently requested removal of listings once we have
terminated the customer in question, but received no response.
We can vouch for the fact that www.spamhaus.org blocks far more than
just sources of UCE. In our case, it is our entire network.
-----Original Message-----
From: Steve Linford [mailto:linford@spamhaus.org]=20
Sent: Thursday, September 25, 2003 8:22 AM
To: Hank Nussbacher; nanog@merit.edu
Subject: Re[2]: williams spamhaus blacklist
At 12:50 +0200 (GMT) 25/9/03, Hank Nussbacher wrote:
> AS3339 has a zero tolerance for spamming. With just one spam =20
> complaint we block the IP in question. We have a downstream customer
> that has many cybercafes in Africa that generate http and smtp spam=20
> and we block each complaint within 48 hours.
>
> None the less, here is a recent email extract I received from=20
> someone:
>
> "Hank, I am not a Spamhaus.org representative in any shape or form. =20
> I do not claim to speak for Spamhaus.org in any capacity. The =20
> University of xxxxxx is, however, a customer (i.e. as of this =20
> morning, we block e-mails from IP addresses listed on Spamhaus SBL).
>
> I am just guessing what might happen if the problem is not sorted=20
> out.
>
> I am sure you already know that the standard escalation procedure for
> many blocklists is first to block the single offending IP address,=20
> then the immediate smallest block that it is contained in according=20
> to WHOIS, then the entire block of the ISP, and if that fails to stop
> the spam, then the corporate MXes of the upstream ISP may be=20
> blocklisted."
That describes the escalation procedure of SPEWS, but is not at all=20
accurate for the SBL, we do not expand listings sideways into=20
customer space or block whole ISPs [*].
> Basically, we are being told if we don't drop the customer, our =20
> corporate MXes will be blocked. I would not call this an "extreme =20
> case", but it would appear that overzealous anti-spammers are perhaps
> going a bit overboard.
Luckily he claimed up-front to not be speaking for Spamhaus. I can=20
sympathize with the level of frustration of someone being bombarded=20
in spam, however we do not run escalations for single spammers=20
(unless the problem is chronic, but even then we'd always contact the=20
ISP and exhaust all other avenues).
[*] Although we do not list whole U.S. or European ISPs, that's not=20
strictly true for other areas of the net the "offshore" spammers have=20
gravitated to. We are currently leaning on China heavily and are at=20
this moment blocking large parts of Chinanet Shanghai (online.sh.cn)=20
ADSL netblocks, as it's the worst of the China spam problems with 120=20
separate SBL listings all of US-based spammers (all the usual=20
make-penis-fast crowd) hosted mainly on Shanghai ADSL lines. Spammers
like Alan Ralsky these days pump everything out via=20
SoBig-opened proxies with everything hosted in China, all run from=20
Detroit using VPN. The Chinese are now understanding this but it's=20
taken some time. That escalation should resolve itself 'any moment=20
now' too as they say they're starting the process of tracking down=20
and kicking off the hoard of pests they've acquired these last months.
--=20
Steve Linford
The Spamhaus Project
http://www.spamhaus.org
