RE: Re[2]: williams spamhaus blacklist

["netadm" <netadm () infolink com>]

> > That describes the escalation procedure of SPEWS, but is not at all 
> > accurate for the SBL, we do not expand listings sideways into 
> > customer space or block whole ISPs [*].

Mr. Linford's Spamhaus has recently blocked our entire ISP because of 2
entities on our network we are working to terminate (it is a bit more
complicated than simply pulling the plug).

In addition, we have recently requested removal of listings once we have
terminated the customer in question, but received no response.

We can vouch for the fact that www.spamhaus.org blocks far more than
just sources of UCE. In our case, it is our entire network.

-----Original Message-----
From: Steve Linford [mailto:linford () spamhaus org] 
Sent: Thursday, September 25, 2003 8:22 AM
To: Hank Nussbacher; nanog () merit edu
Subject: Re[2]: williams spamhaus blacklist



At 12:50 +0200 (GMT) 25/9/03, Hank Nussbacher wrote:
>  AS3339 has a zero tolerance for spamming.  With just one spam  
> complaint we block the IP in question.  We have a downstream  customer

> that has many cybercafes in Africa that generate http and  smtp spam 
> and we block each complaint within 48 hours.
>
>  None the less, here is a recent email extract I received from 
> someone:
>
>  "Hank, I am not a Spamhaus.org representative in any shape or form.  
> I do not claim to speak for Spamhaus.org in any capacity.  The  
> University of xxxxxx is, however, a customer (i.e. as of this  
> morning, we block e-mails from IP addresses listed on Spamhaus SBL).
>
>  I am just guessing what might happen if the problem is not sorted 
> out.
>
>  I am sure you already know that the standard escalation procedure for

> many blocklists is first to block the single offending IP address, 
> then  the immediate smallest block that it is contained in according 
> to WHOIS,  then the entire block of the ISP, and if that fails to stop

> the spam,  then the corporate MXes of the upstream ISP may be 
> blocklisted."

That describes the escalation procedure of SPEWS, but is not at all 
accurate for the SBL, we do not expand listings sideways into 
customer space or block whole ISPs [*].

>  Basically, we are being told if we don't drop the customer, our  
> corporate MXes will be blocked.  I would not call this an "extreme  
> case", but it would appear that overzealous anti-spammers are  perhaps

> going a bit overboard.

Luckily he claimed up-front to not be speaking for Spamhaus. I can 
sympathize with the level of frustration of someone being bombarded 
in spam, however we do not run escalations for single spammers 
(unless the problem is chronic, but even then we'd always contact the 
ISP and exhaust all other avenues).

[*] Although we do not list whole U.S. or European ISPs, that's not 
strictly true for other areas of the net the "offshore" spammers have 
gravitated to. We are currently leaning on China heavily and are at 
this moment blocking large parts of Chinanet Shanghai (online.sh.cn) 
ADSL netblocks, as it's the worst of the China spam problems with 120 
separate SBL listings all of US-based spammers (all the usual 
make-penis-fast crowd) hosted mainly on Shanghai ADSL lines. Spammers
like Alan Ralsky these days pump everything out via 
SoBig-opened proxies with everything hosted in China, all run from 
Detroit using VPN. The Chinese are now understanding this but it's 
taken some time. That escalation should resolve itself 'any moment 
now' too as they say they're starting the process of tracking down 
and kicking off the hoard of pests they've acquired these last months.

-- 
   Steve Linford
   The Spamhaus Project
   http://www.spamhaus.org