hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Web Hosting : Avoiding Bad Web Hosting Neighborhoods
Reply

Forum Jump

Avoiding Bad Web Hosting Neighborhoods

Reply Post New Thread In Web Hosting Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old 09-15-2008, 01:50 PM
Tom Mortimer Tom Mortimer is offline
Newbie
 
Join Date: Sep 2008
Location: Leeds, UK
Posts: 10

Avoiding Bad Web Hosting Neighborhoods


I'm Tom Mortimer, and I volunteer with Spamhaus, the U.K. based anti-spam blocklist. Late last week I was introduced to the Web Hosting Talk forum because a fellow blocklister came under attack by someone who turned out to have quite the record for several types of online lunacy. Since then, I've been reading the board and becoming acquainted with what happens here.

I'm impressed. Most of you appear to be sane :-) and there are some very knowledgeable web hosting professionals here. So I thought I would post about a project I am working on at Spamhaus, and see if I could get some help.

I want to write an article for the Spamhaus web site. It will be aimed at web hosting customers, and will explain how to evaluate ISPs and web hosting providers for security and spam prevention issues. We call this "avoiding bad neighborhoods."

As one forum user (phorum) discovered last week, hosting a perfectly legitimate web site at a rogue provider can mean your web site looses connectivity without warning. Hosting at a bad provider, one that has lax or no abuse enforcement or that deliberately allows spammers to host their web sites on the same IPs as innocent customers, can cause your web site IP to end up on a blocklist despite your having done nothing wrong.

In cases of shared hosting and an indifferent or openly spam-supporting web hosting company, blocklists often find themselves between a rock and hard place: they can list the spammer's IP and hurt innocent customers, or allow the spammer to remain unlisted and hurt innocent users. At some point alleviating the second problem will trump the first.

What we want to do is to provide web hosting customers, especially smaller web hosting customers that may share a server and/or an IP with other web sites, with the tools they need to determine what sort of job their host is doing at keeping a clean network.

Obviously, two of the things to be done are:

* Check reputable blocklists to see how much of a web hosting company's IP space is listed, and (perhaps more important) for how long listings remain active.
* Check reputation services, such at Senderscore.

What other measures would you, as experienced customers of web hosting service, or as web hosting providers, take?



Sponsored Links
  #2  
Old 09-15-2008, 01:57 PM
gigapros gigapros is offline
Disabled
 
Join Date: Mar 2008
Location: USA
Posts: 144
Have you designed any plan yet on how to verify the "abuse enforcement" for the ISPs?

  #3  
Old 09-15-2008, 02:07 PM
FS - Mike FS - Mike is offline
Web Hosting Master
 
Join Date: Jun 2006
Location: Devon, UK
Posts: 1,307
That's a difficult question to answer. Sometimes you could find a perfectly good web host who is very reputable and be unlucky at one point in time. Although most good hosts will have implemented measures to reduce the ability of a customer to spam within 2 minutes of their account becoming active however this would require the client to ask pre-sales questions such as "How many e-mails do you limit sending per hour?".

Mike

Sponsored Links
  #4  
Old 09-15-2008, 02:31 PM
Tom Mortimer Tom Mortimer is offline
Newbie
 
Join Date: Sep 2008
Location: Leeds, UK
Posts: 10
Quote:
Originally Posted by gigapros View Post
Have you designed any plan yet on how to verify the "abuse enforcement" for the ISPs?
No. That would involve setting up criteria that would enable us and others to measure objectively how well an ISP or web host is doing overall. I don't believe that this is an appropriate role for a blocklist. We are likely to be one of the criteria any proper evaluation would take into account. That being the case, having a neutral third party do the evaluation would prevent conflicts of interest and provide a more credible outcome.

What I hope to do is to show users how to make this evaluation themselves, at least sufficiently for their purposes.

  #5  
Old 09-15-2008, 02:37 PM
Tom Mortimer Tom Mortimer is offline
Newbie
 
Join Date: Sep 2008
Location: Leeds, UK
Posts: 10
Quote:
Originally Posted by Coldkill View Post
That's a difficult question to answer. Sometimes you could find a perfectly good web host who is very reputable and be unlucky at one point in time. Although most good hosts will have implemented measures to reduce the ability of a customer to spam within 2 minutes of their account becoming active however this would require the client to ask pre-sales questions such as "How many e-mails do you limit sending per hour?".
True. There are a number of other things that an ISP or web hosting provider can do to vet a new customer, though. Getting and checking references is one. Searching the Spamhaus web site and other locations for that customer's name, company name, postal address, and domain can also provide valuable information. Not all spammers hide their identities, although many do. I believe there are also methods for having a credit card company check a credit card number for fraud before you accept payment, although I haven't had to deal with that aspect of the business.

Perhaps an article on how an ISP can avoid bad customers would make a good complement to the article I am now working on. :-)

  #6  
Old 09-15-2008, 05:55 PM
cartika-andrew cartika-andrew is offline
Location = SoapBox
 
Join Date: Oct 2003
Posts: 6,395
Quote:
Originally Posted by Tom Mortimer View Post
Perhaps an article on how an ISP can avoid bad customers would make a good complement to the article I am now working on. :-)
to be fair, how to avoid bad customers is either something a company does or doesnt do... nothing is perfect, but, I cant recall the last time a user got through and just started spamming on our system (though, it certainly has happened and can happen to even the most careful providers)

What would be of better interest is more effective mechanisms of dealing with known mail servers.

Quote:
Originally Posted by Tom Mortimer View Post
In cases of shared hosting and an indifferent or openly spam-supporting web hosting company, blocklists often find themselves between a rock and hard place: they can list the spammer's IP and hurt innocent customers, or allow the spammer to remain unlisted and hurt innocent users. At some point alleviating the second problem will trump the first.
If a company is hosting known spammers and are countinually doing it, and not addressing the problem, then they should have their IPs listed and possibly a message for those discovering the list letting them know the reason for the listing (and maybe even have a comprehensive listing scale ranging from severe to minor).


Honestly, the real problem area lies someplace in the middle. Many small to very large hosting providers share a common issue with respect to blacklisting. Often times, very good providers are improperly listed. Shared hosting in particular involves many clients sharing a single mail server IP address - and for the most part, these IPs are treated no differently then a server hosting mail for a single domain. Some sort of qualification needs to be made for mail servers based on the number of domains hosted - or maybe even a shared server classification. Issues with false reporting, temporary spamming activity until it is discovered and the user removed, potentially exploited scripts before appropriate updates or upgrades are made (typically reliant on the client), etc cause severe confusion for all involved. It hurts the providers, it hurts the clients and all the while known spammers are countinuing on their merry way by switching IPs.

Ultimately, there needs to be a system in place where providers offering mail services to 1000`s of clients are given the opportunity to be web friendly and reduce the `bad neighbourhood`affect you are talking about. A feedback loop with subscribed providers which meet certain criteria is a great place to start. Any provider that can be made aware of a spamming issue or other related issue in their environment, be given the opportunity to clean it up within x timeframe and report back as resolved will enable everyone to operate in a pro-active manner. A provider or ISP can then stay compliant and RBL listing free 100% of the time, as long as they stay compliant and as long as any reports are resolved within x timeframe. As it stands today, everyone is in reactive mode - and the spammers are the ones benefiting from this

  #7  
Old 09-16-2008, 03:32 PM
Tom Mortimer Tom Mortimer is offline
Newbie
 
Join Date: Sep 2008
Location: Leeds, UK
Posts: 10
Quote:
Originally Posted by cartika-andrew View Post
to be fair, how to avoid bad customers is either something a company does or doesnt do... nothing is perfect, but, I cant recall the last time a user got through and just started spamming on our system (though, it certainly has happened and can happen to even the most careful providers)

What would be of better interest is more effective mechanisms of dealing with known mail servers.
I'm unsure what you mean by "known mail servers." Do you mean mechanisms for ISPs to deal with customers who send bulk email that is supposed to be opt-in? Or do you mean mechanisms for blocklists to deal with large, shared mail servers that send some spam, but also send legitimate email?

Quote:
Originally Posted by cartika-andrew View Post
If a company is hosting known spammers and are countinually doing it, and not addressing the problem, then they should have their IPs listed and possibly a message for those discovering the list letting them know the reason for the listing (and maybe even have a comprehensive listing scale ranging from severe to minor).
I'm sure you will be happy to know that we at Spamhaus are in complete agreement with this. ;-)

Quote:
Originally Posted by cartika-andrew View Post
Honestly, the real problem area lies someplace in the middle. Many small to very large hosting providers share a common issue with respect to blacklisting. Often times, very good providers are improperly listed. Shared hosting in particular involves many clients sharing a single mail server IP address - and for the most part, these IPs are treated no differently then a server hosting mail for a single domain. Some sort of qualification needs to be made for mail servers based on the number of domains hosted - or maybe even a shared server classification.
At Spamhaus, we have a policy that we do not list the shared outgoing mail servers of ISPs unless an ISP is completely rogue and we believe it has a negligible number of legitimate customers. We don't come to that conclusion about an ISP lightly or without a great deal of evidence; I have been working with Spamhaus for three years and have noticed fewer than a dozen such cases in that time.

Our usual procedure, if an ISP mail server is sending spam, is to notify the ISP and ask them to take care of the problem. The notice can be in the form of an email to the ISP abuse address or a contact we have at the ISP, or can be in the form of a ".0/32" SBL listing. (A ".0/32" listing is a listing, not of the actual IP that hosts the spamming mail server, but of the .0 IP of that /24. Since nobody hosts servers on the .0 IP in a /24, this sort of listing doesn't block any email.) I prefer to use a .0/32 listing personally because it documents the problem in our database; the other team members have their own preferences.

If the ISP does not respond or does not take care of the problem within a reasonable period, we may escalate, but usually by listing corporate mail servers rather than customer servers. We don't do this unless a problem is severe and the ISP has been completely unresponsive, though.

I think where you and your colleagues here might have a problem is when we list the IP of the spammer's web site. We have no specific policy about listing web hosting IPs, but we try not to list IPs that are known to host many other web sites unless lesser measures fail. (We have a number of IP ranges "marked" as shared hosting in our database, to warn us about likely false positives.)

It is unfortunately often difficult to tell whether a spammer's web site is on shared hosting or not from the outside. Perhaps we could talk about ways for web hosts to "mark" shared hosting IPs?

Other blocklists have other policies, of course. I have a high regard for the NJABL, Spamcop, and Invaluement blocklists: they are well run and responsive. The SURBL URI-based blocklists, which list domains and IPs that are advertised in the message bodies of spam, are also cwell run. I have heard that the URIBL URI-based blocklist is fairly good, as well, although more aggressive than the SURBLs. Not surprisingly, these blocklists are also widely used and a listing in them can be a serious problem.

Other blocklists are more aggressive, some of them insanely so. The more aggressive a blocklist, the more prone it tends to be to false positives, and consequently the less it is normally used. This mitigates the problems caused when a blocklister lists an ISP's entire IP space for hitting a spamtrap once. :/

Quote:
Originally Posted by cartika-andrew View Post
Issues with false reporting, temporary spamming activity until it is discovered and the user removed, potentially exploited scripts before appropriate updates or upgrades are made (typically reliant on the client), etc cause severe confusion for all involved. It hurts the providers, it hurts the clients and all the while known spammers are countinuing on their merry way by switching IPs.
At Spamhaus, we don't accept or use spam complaints from the public precisely because of the potential for false complaints. If we create a listing, it is either because spam hit an email address we own or that is under our control, or because the listed IP is under the control of a spammer on our ROKSO list. We have a great many spamtraps, which are email addresses that do not belong to a real person, never send email, and never ask to receive any type of email. They are the source of evidence for our SBL listings.

Most spammers are real bastards, and they make life difficult on us all. As much as I enjoy working with the Spamhaus team, I would love it if spam suddenly disappeared and we all had to find something else to do with our evenings.

Quote:
Originally Posted by cartika-andrew View Post
Ultimately, there needs to be a system in place where providers offering mail services to 1000`s of clients are given the opportunity to be web friendly and reduce the `bad neighbourhood`affect you are talking about. A feedback loop with subscribed providers which meet certain criteria is a great place to start.
Feedback loops are excellent. We strongly recommend that any ISP or hosting provider avail themselves of the feedback loops provided by Spamcop, AOL, Hotmail, Outblaze, and other large ISPs and companies.

Quote:
Originally Posted by cartika-andrew View Post
Any provider that can be made aware of a spamming issue or other related issue in their environment, be given the opportunity to clean it up within x timeframe and report back as resolved will enable everyone to operate in a pro-active manner. A provider or ISP can then stay compliant and RBL listing free 100% of the time, as long as they stay compliant and as long as any reports are resolved within x timeframe. As it stands today, everyone is in reactive mode - and the spammers are the ones benefiting from this
There is one weakness with this approach, which is that the spammer will have a window of opportunity while the conversation between blocklist and ISP is going on. The intent of real-time blocklists, starting with the first (MAPS RBL) was to respond quickly so that spam could be blocked while a provider dealt with the problem. Unfortunately spammers evolve quickly, and learned to make use of shared resources and to hide behind innocent customers.

We try to be very responsive at Spamhaus, though, and we generally don't list an IP until the problem is not just established but fairly serious. If you've had occasion to deal with us, I hope you'd have seen this. But it sounds as if you run a tight shop, so perhaps you haven't had to deal with us. (A good thing overall.)

I'm not certain how to best deal with the problems you mention. That's one reason I stuck around here; I thought some of you might have ideas I hadn't thought of, and the rest of us hadn't thought of yet. :-)

  #8  
Old 09-16-2008, 04:05 PM
cartika-andrew cartika-andrew is offline
Location = SoapBox
 
Join Date: Oct 2003
Posts: 6,395
Quote:
Originally Posted by Tom Mortimer View Post
I'm unsure what you mean by "known mail servers." Do you mean mechanisms for ISPs to deal with customers who send bulk email that is supposed to be opt-in? Or do you mean mechanisms for blocklists to deal with large, shared mail servers that send some spam, but also send legitimate email?
Thanks for your reply - really do appreciate this conversation...you are of course correct, I should differentiate between when I am speaking of Spamhaus vs general statements about RBL providers... For the record, we rely heavily on you guys and are very satisfied on the whole with the results..

I dont think there should be any tolerance for mail servers sending spam - but, I do think there needs to be some sort of classification for ISPs or shared mail server providers..


Quote:
I'm sure you will be happy to know that we at Spamhaus are in complete agreement with this. ;-)
yes, very happy

Quote:
At Spamhaus, we have a policy that we do not list the shared outgoing mail servers of ISPs unless an ISP is completely rogue and we believe it has a negligible number of legitimate customers. We don't come to that conclusion about an ISP lightly or without a great deal of evidence; I have been working with Spamhaus for three years and have noticed fewer than a dozen such cases in that time.
that is good news - I think RBLs really fall apart typically because there is zero consideration for shared mail servers and the dynamics around them - I give you full marks if this is something you take into consideration...

Quote:
Our usual procedure, if an ISP mail server is sending spam, is to notify the ISP and ask them to take care of the problem. The notice can be in the form of an email to the ISP abuse address or a contact we have at the ISP, or can be in the form of a ".0/32" SBL listing. (A ".0/32" listing is a listing, not of the actual IP that hosts the spamming mail server, but of the .0 IP of that /24. Since nobody hosts servers on the .0 IP in a /24, this sort of listing doesn't block any email.) I prefer to use a .0/32 listing personally because it documents the problem in our database; the other team members have their own preferences.
We belong to all sorts of feedback loops - but, not for spamhaus - is there a formal program in place to have our mail servers recognized as an ISP or shared provider. We are EAGER to work with RBL providers in order to 1) keep mail flowing for legitimate users and 2) more quickly identify if and when we have an issue on shared servers so that it can be addressed more proficiently and if done properly, with zero impact to customers..

Quote:
If the ISP does not respond or does not take care of the problem within a reasonable period, we may escalate, but usually by listing corporate mail servers rather than customer servers. We don't do this unless a problem is severe and the ISP has been completely unresponsive, though.

I think where you and your colleagues here might have a problem is when we list the IP of the spammer's web site. We have no specific policy about listing web hosting IPs, but we try not to list IPs that are known to host many other web sites unless lesser measures fail. (We have a number of IP ranges "marked" as shared hosting in our database, to warn us about likely false positives.)
sounds fair enough

Quote:
It is unfortunately often difficult to tell whether a spammer's web site is on shared hosting or not from the outside. Perhaps we could talk about ways for web hosts to "mark" shared hosting IPs?
really interesting idea and I am certainly open to any such discussions, especially if the objective is build more meaningful relationships between hosting providers and RBL providers. for us in particular, we spend a great deal of time and effort keeping our IPs clean (and I am sure alot of our colleagues face the same issue) - a system of building a "trusted" relationship where it is known we arent spam sources, but, it is also understood to be somewhat the nature of shared hosting to have the occassional incident slip through and allow larger, shared mail servers a "window" in which to address issues and communicate resolutions with RBL providers would be a HUGE value for all involved (customers, providers and RBL services like spamhaus)

Quote:
Other blocklists have other policies, of course. I have a high regard for the NJABL, Spamcop, and Invaluement blocklists: they are well run and responsive. The SURBL URI-based blocklists, which list domains and IPs that are advertised in the message bodies of spam, are also cwell run. I have heard that the URIBL URI-based blocklist is fairly good, as well, although more aggressive than the SURBLs. Not surprisingly, these blocklists are also widely used and a listing in them can be a serious problem.

Other blocklists are more aggressive, some of them insanely so. The more aggressive a blocklist, the more prone it tends to be to false positives, and consequently the less it is normally used. This mitigates the problems caused when a blocklister lists an ISP's entire IP space for hitting a spamtrap once. :/



At Spamhaus, we don't accept or use spam complaints from the public precisely because of the potential for false complaints. If we create a listing, it is either because spam hit an email address we own or that is under our control, or because the listed IP is under the control of a spammer on our ROKSO list. We have a great many spamtraps, which are email addresses that do not belong to a real person, never send email, and never ask to receive any type of email. They are the source of evidence for our SBL listings.

Most spammers are real bastards, and they make life difficult on us all. As much as I enjoy working with the Spamhaus team, I would love it if spam suddenly disappeared and we all had to find something else to do with our evenings.
you are of course correct. I think my initial comments were geared towards end user reporting based RBL systems - which honestly, just create headaches for absolutely everyone..

Quote:
Feedback loops are excellent. We strongly recommend that any ISP or hosting provider avail themselves of the feedback loops provided by Spamcop, AOL, Hotmail, Outblaze, and other large ISPs and companies.
many of these providers do indeed have feedback loops - I do not believe hotmail, MSN, etc do - but, that is another issue altogether. It does become frustrating with some of these - AOL in particular has this all @$$ backwards with end user reporting - and to make it worse, they dont look at the actual source, so, often times we will see users getting themselves blacklisted by reporting forwarded email - so, the onus falls back on the hosting provider to educate the consumer on what they should and should not report to AOL as spam - however, that isnt really a scalable solution - so, ultimately providers like us end up spending 1000s upon 1000s of dollars to block more spam so that ultimately end users cannot make this mistake - having said this, we arent speaking spamhaus issues here so probably not worth taking it up with you (but, nice to vent sometimes )

Quote:
I'm not certain how to best deal with the problems you mention. That's one reason I stuck around here; I thought some of you might have ideas I hadn't thought of, and the rest of us hadn't thought of yet. :-)
I am not sure this is even possible, but, what would really benefit this industry is some standardization - now, I know this is likely not possible - but, we really need a company like spamhaus, that understands how this all works to be more involved with the major ISPs... when a user of AOL can get an entire mail server blocked from sending to AOL by reporting their own forwarded mail as spam - well, there is an issue there - Im honestly not sure these ISPs would listen to the likes of us or even Spamhaus - but, I am wondering outloud what your level of communication is with these larger ISPs and what input, if any, you have towards the formulation of their spam policies...

  #9  
Old 09-17-2008, 01:29 AM
Tim Greer Tim Greer is offline
<insert something witty>
 
Join Date: Apr 2000
Location: California
Posts: 3,051
We offer our clients a means to get on a small IP pool, rather than the shared, primary system IP, assuming they don't have a dedicated IP, and emails go out from their own IP or IP pool, unless they are on the lowest plan(s). This prevents them from being victims of RBL listings if someone else on the same server has a script exploited. The problem is, even on an IP pool, while it greatly reduces the issue, unless they get a dedicated/unique IP, there's always that chance. What needs to be done, is to check how proactive and legitimate the web host is, because any web host can have a seemingly legitimate user abuse the service, or more likely, have their script exploited and the host can act as quickly and effectively as possible, but then it's too late. If a host acts quickly enough and takes appropriate actions, they should be allowed on some whitelist that prevents blacklistings for their servers, because you absolutely know they really care and really do take immediate actions. Unless something like that is implemented, there's really no good way to prevent honest spam fighting hosts from being punished for things that really can't foresee, no matter what prevention methods they might implement. Not that we all don't understand the need to take measures against a spamming system, even if automated, of course.

  #10  
Old 09-17-2008, 01:40 PM
Tom Mortimer Tom Mortimer is offline
Newbie
 
Join Date: Sep 2008
Location: Leeds, UK
Posts: 10
Quote:
Originally Posted by cartika-andrew View Post
Thanks for your reply - really do appreciate this conversation...you are of course correct, I should differentiate between when I am speaking of Spamhaus vs general statements about RBL providers... For the record, we rely heavily on you guys and are very satisfied on the whole with the results.
Thanks for the vote of confidence. We do try. ;-)

Quote:
Originally Posted by cartika-andrew View Post
I dont think there should be any tolerance for mail servers sending spam - but, I do think there needs to be some sort of classification for ISPs or shared mail server providers.
Which (as you seem to recognize, but others do not) is a somewhat contradictory position and yet the only way to make a blocklist work in the real world.

Quote:
Originally Posted by cartika-andrew View Post
that is good news - I think RBLs really fall apart typically because there is zero consideration for shared mail servers and the dynamics around them - I give you full marks if this is something you take into consideration.
We didn't always, and we discovered for ourselves that failing to consider the number of innocent users an SBL listing might impact often amounted to using a brickbat to swat a fly. The whole point of the original blocklisting system (the MAPS RBL) was to allow quick and accurate listing of spam sources. At the time the RBL went live, most higher-volume spammers spammed from their own fixed IPs, so listing those IPs did not affect innocent users.

Some lower-volume spammers used their ISP's shared server, and it was when dealing with them that blocklisters learned the importance of proportionate response. Blocklists were not as widely used at the time, so listing a shared server did not cause the level of pain that doing so today on a major blocklist will cause. It did cause a fair bit of pain, however, which caused a significant number of ISPs to ask us to hold off on those listings and warn them instead, so that they could remove the spammer without inconveniencing innocent users. At Spamhaus, we tried it, and quickly discovered which ISPs were reliable and which were not.

Currently, when we know that an ISP is reliable, we usually just warn them about a problem unless the issue is something more serious than simple spamming. Where web hosting companies are concerned, for example, we usually will list the IP of a server hosting a phish site or malware (virus or trojan) immediately even when we know that the server has many innocent web sites on it. This is because any delay can lead to foolish, but innocent, users handing their private financial information over to a phisher or having their computer infected by a virus or trojan.

For a spammed web site, if we know that the ISP or web hosting company will remove spammed web sites or, for first-time offenders, issue them a warning that has some teeth, we normally won't list an IP that we know or suspect is shared hosting.

Quote:
Originally Posted by cartika-andrew View Post
We belong to all sorts of feedback loops - but, not for spamhaus - is there a formal program in place to have our mail servers recognized as an ISP or shared provider.
No, and I doubt that there will be. For many reasons, we must protect the anonymity of our spamtraps. First, of course, we do not want to provide spam-friendly providers with a tool to help their spamming clients remove our spamtraps and then continue to spam everybody else. Second, at least as important, we do not want the identities of our spamtraps to be known because then abusive users can feed them to a non-confirming bulk email list. While we strongly prefer that bulk emailers use a confirmed opt-in (COI) process, which won't subscribe spamtraps because spamtraps don't respond to the confirmation emails, we consider deliberate forged subscriptions to non-confirming bulk email lists to constitute entrapment. We do not allow ourselves to be used that way.

There is absolutely no reason that a group of web hosting providers could not set up a shared feedback loop service, however. There would be some cost, and you probably would want to talk with us about how to create or obtain and manage spamtrap email addresses. We would be happy to cooperate with such an effort; I at least think it would be an excellent idea.

Quote:
Originally Posted by cartika-andrew View Post
We are EAGER to work with RBL providers in order to 1) keep mail flowing for legitimate users and 2) more quickly identify if and when we have an issue on shared servers so that it can be addressed more proficiently and if done properly, with zero impact to customers.
I can't speak for other blocklists, but I can tell you how to do this with us. First, create and *read* the appropriate abuse@ email address for your domain or domains. Second, require that your customers do the same for each of their domains. Third, update the Abuse contact list at abuse.net with the proper contact information for all of your domains. You should do the same for all of your customers' domains if they do not do this themselves.

Fourth, if you receive email from Spamhaus reporting that an IP has been listed, deal with the problem promptly, preferably within 24 hours, and notify us as soon as you have done so. You should notify us by clicking the Contact link at the bottom of the SBL listing web page for that SBL record, which will route your request to the Spamhaus team member responsible for the listing. We normally respond to delisting requests within 24 hours during the week, 48 over a weekend or holiday. (By the way, for most of us, "holiday" means UK holidays, not US.) :-)

Once we see that you remove spammers quickly, you will find that we are correspondingly less prone to list them in the first place. You'll either simply get a spam report from us, or we will list a .0/32 for the IP instead of listing the actual IP.

Quote:
Originally Posted by cartika-andrew View Post
many of these providers do indeed have feedback loops - I do not believe hotmail, MSN, etc do - but, that is another issue altogether. It does become frustrating with some of these - AOL in particular has this all @$$ backwards with end user reporting - and to make it worse, they dont look at the actual source, so, often times we will see users getting themselves blacklisted by reporting forwarded email - so, the onus falls back on the hosting provider to educate the consumer on what they should and should not report to AOL as spam - however, that isnt really a scalable solution - so, ultimately providers like us end up spending 1000s upon 1000s of dollars to block more spam so that ultimately end users cannot make this mistake - having said this, we arent speaking spamhaus issues here so probably not worth taking it up with you (but, nice to vent sometimes )
It is indeed. :-)

Quote:
Originally Posted by cartika-andrew View Post
I am not sure this is even possible, but, what would really benefit this industry is some standardization - now, I know this is likely not possible - but, we really need a company like spamhaus, that understands how this all works to be more involved with the major ISPs... when a user of AOL can get an entire mail server blocked from sending to AOL by reporting their own forwarded mail as spam - well, there is an issue there - Im honestly not sure these ISPs would listen to the likes of us or even Spamhaus - but, I am wondering outloud what your level of communication is with these larger ISPs and what input, if any, you have towards the formulation of their spam policies...
Not Spamhaus; we and any other DNSBL or RHSBL are players, not impartial observers, any more than any of you are impartial observers. What might work is an industry organization that includes us all. There is one for ISPs, blocklists, and others with an interest in sending email: MAAWG, the Messaging Anti-Abuse Working Group. I think the system will let me post URLs now, so I will try:

http://www.maawg.org

Perhaps MAAWG would make a good forum for working out an oversight board, or perhaps we should consider starting a similar organization for web hosting providers, blocklists, and other stakeholders in web hosting and related services that can be impacted by anti-spam efforts.

  #11  
Old 09-17-2008, 01:54 PM
Tom Mortimer Tom Mortimer is offline
Newbie
 
Join Date: Sep 2008
Location: Leeds, UK
Posts: 10
Quote:
Originally Posted by Tim Greer View Post
We offer our clients a means to get on a small IP pool, rather than the shared, primary system IP, assuming they don't have a dedicated IP, and emails go out from their own IP or IP pool, unless they are on the lowest plan(s). This prevents them from being victims of RBL listings if someone else on the same server has a script exploited.
This sounds like an excellent idea. I just made a note, and will be suggesting the same to the smaller web hosting providers I deal with. Many of them can do what you do; it doesn't require separate hardware, just separate server processes and a bit of extra RAM to hold them.

Quote:
Originally Posted by Tim Greer View Post
The problem is, even on an IP pool, while it greatly reduces the issue, unless they get a dedicated/unique IP, there's always that chance. What needs to be done, is to check how proactive and legitimate the web host is, because any web host can have a seemingly legitimate user abuse the service, or more likely, have their script exploited and the host can act as quickly and effectively as possible, but then it's too late. If a host acts quickly enough and takes appropriate actions, they should be allowed on some whitelist that prevents blacklistings for their servers, because you absolutely know they really care and really do take immediate actions. Unless something like that is implemented, there's really no good way to prevent honest spam fighting hosts from being punished for things that really can't foresee, no matter what prevention methods they might implement. Not that we all don't understand the need to take measures against a spamming system, even if automated, of course.
We have informal measures at Spamhaus to take note of good ISPs and web hosts with shared hosting space. The problem is that usually an ISP or web host has to have a problem with a spammer and deal with that problem before that web host can get onto our radar as a responsible business that deals quickly and effectively with spam issues.

The email sending businesses have done a considerable amount of work on creating whitelists of responsible providers. Some of those are the ReturnPath Bonded Sender list (the most widely used), the Habeas list, the Whitehat list, and the ISIPP's SuretyMail list. They've had mixed success, however, mostly because these services are plagued with the problems caused by a few bulk emailers who want to game the system. :-/

Perhaps web hosting providers could try something of the same type by creating an industry association, setting up criteria for accreditation as a responsible web host, and then creating a DNS-based whitelist that works like a blacklist in reverse. While Spamhaus couldn't be directly involved in an effort like this because of conflict-of-interest issues, I would be happy to provide advice on criteria for responsible abuse management, and on any technical issues with setting up the whitelist.

  #12  
Old 09-17-2008, 02:10 PM
cartika-andrew cartika-andrew is offline
Location = SoapBox
 
Join Date: Oct 2003
Posts: 6,395
Quote:
Originally Posted by Tom Mortimer View Post
Which (as you seem to recognize, but others do not) is a somewhat contradictory position and yet the only way to make a blocklist work in the real world.
I do agree, on the micro level, it is certainly a contradiction, however, on the macro level it is a harmonious solution as the ultimate objective is to promote and encourage "safe" mailing servers. Everyone, and I mean absolutely everyone is subject to occassional incidents, it is afterall the nature of the business. Co-operation is the only way to resolve the issue and ultimately improve the situation moving forward. As it stands now, it is a battlefield and this sort of environment just creates a breeding ground for spammers as major hosting providers and major ISPs just juggle the hot potato and countinually pass the buck wherever possible...

We have a very major ISP as a white label hosting customer of ours. Needless to say, when they blocked all of their own hosting customers from sending mail to their servers because ONE of their end user reported a bunch of forwarded mail from their hosting account to their ISP email account as spam, the ISP absolutely lost their mind. When they realized how this happened, they were at a complete loss for how to deal with it. They finally just whitelisted all of our mail server IPs - but, they clearly recognized a flaw with their process - to this date, they still do not have a permanent resolution and are unable to affect change internally within their own organization. We are working diligently with them in an effort to set a new standard for how they handle spam reporting. I have to give them full credit for recognizing the problem and trying to address it - but, have to tell you, on the whole, these organizations do not have a clue as to the impact of their policies... (the good news in this case at least, is the ISP now understands this)

Quote:
or perhaps we should consider starting a similar organization for web hosting providers, blocklists, and other stakeholders in web hosting and related services that can be impacted by anti-spam efforts.
I am all ears.... I am going to sound like a broken record, and I am certainly out on a limb here - but, unless we all figure out a way to work together, the combative attitude that exists between ISPs, webhosting providers, blocklists, etc will countinue to proliferate and all that is accomplished is creating an environment in which spammers thrive and replicate (like mosquitoes in a swamp)... honestly, this isnt a difficult thing to deal with, we just all need to stop tripping over each other....

  #13  
Old 09-17-2008, 02:20 PM
Tim Greer Tim Greer is offline
<insert something witty>
 
Join Date: Apr 2000
Location: California
Posts: 3,051
I think something like that could work, and I'd be willing to do whatever part to help it come to fruition. I really appreciate your involvement and desire to offer solutions and suggestions -- this is most excellent!

As for DNS based whitelists, this could work, provided it doesn't allow any spammer with control of a server to set the hostname or DNS to something it shouldn't be to get on a whitelist, of course, but that would be pretty simple. Maybe even some method to have companies register with their company's hostnames and require some login, where they can add new hostnames and maybe IP ranges.

This could go as far as having a contact address for them personally to be immediately alerted (though they should obviously have a postmaster and abuse address anyway). As you suggested, as long as it doesn't cause any conflict of interests, favoritism, etc., I'm sure there are several things that could help avoid the spam fighting hosts from suffering. I suppose there sort of already exists a points system, and you can add or take away.

For example, too many instances and they rank lower and can be flagged or permanently blocked. Sorry for the lack of details in the idea or if it seems a little "all over the place", as this is just things off the top of my head. I don't want to suggest something that would be too complex and involved, because something on a fairly basic level could easily suffice.

I really like the idea of some sort of association, accreditation, whereby perhaps when the trusted people on (sort of) a board (for example) could determine (as humans, rather than a bot or some impossible to be perfect programming logic) if a host has really taken appropriate action (if they are on this approved white list).

I've actually been wanting to create some secure (and private) method whereby legitimate, pre-approved web hosts can have a database to check against for fraudulent orders (searching details they've been provided on an order, to see if it's in a database of known spammers, systems abusers or just flat out fraud), and this is a somewhat similar idea.

In all, and in the end, we all want to prevent a victimized host's system from having 200,000 spam emails reach all of the recipients, so I do understand that regardless of the policies that could be placed, that they still might need to be blocked (because their 5 or 10 minute response time could be too long, if they don't have proper restrictions/limitations on emails or a secure enough server/mta). Perhaps some sort of sanity checks for approved whitelisted hosts would have to be a prerequisite. Anyway, I like where this is going, even if nothing ends up changing, seeing how receptive you guys are there is really refreshing to see with an RBL.

  #14  
Old 09-17-2008, 02:20 PM
cartika-andrew cartika-andrew is offline
Location = SoapBox
 
Join Date: Oct 2003
Posts: 6,395
Quote:
Originally Posted by Tom Mortimer View Post

http://www.maawg.org

Perhaps MAAWG would make a good forum for working out an oversight board
actually, looking at this organizations website, they seem to be on the right track... thanks for the link..

  #15  
Old 09-17-2008, 03:53 PM
doc_flabby doc_flabby is offline
Aspiring Evangelist
 
Join Date: Oct 2006
Location: uk
Posts: 448
I'm a dedicated server user.

I had an issue where another IP in my providers IP space was hosting malware and spamming.

However the entire IP space of the provider including my server ended up getting blocked. Fortunately I run several mail servers so it was a simple matter of redirecting mail, but I was angry that I was blocked for no reason other than the slow response of my provider in dealing with the problem.

Something i think every hosting provider could do themselves a favour is forcing your mail program to put the name of the user account of the email sender in the email headers. It makes tracking abuse/hacked accounts alot easier.

Something that needs addressing is those ISP that simple drop emails, you can send emails and they never get though, and you have no idea they have failed.

__________________
Rediscover online gaming Get Continuum / Subspace | Play Trenchwars

Reply

Related posts from TheWhir.com
Title Type Date Posted
Web Host BurstNET Acquired by DigiPLUS Web Hosting News 2014-04-01 21:42:58
European ISPs BT and Alcatel-Lucent Reach 'Fastest Ever' Broadband Speeds Web Hosting News 2014-01-24 14:25:41
Rogue Clouds and Other Threats Place Businesses at Risk: Symantec Survey Web Hosting News 2014-01-13 12:51:20
Pingdom Back up After Saturday Outage Web Hosting News 2013-01-12 15:48:19
UK Colocation Firm Virtus to Expand North London Data Center Web Hosting News 2012-10-30 13:48:50


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
Advertisement:
Web Hosting News:



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?