Spamhaus sbl blocklisting poses a major threat to cpanel users

[tooky]

Hi,

I am the victim of a false sbl blocklisting at spamhouse.

Because my ip is blacklisted, all email users on my entire cpanel server including resellers with different ips are affected.

The problem is, they've grouped my ip in with some spammers who used an ip that was similar to mine. The data center has closed the spammers account, but the listing is still there. I have no appeal because the offending ips didnt belong to me!

This type of block listing can get net innocent users when used wrecklessly. I'm told the spamhaus guys are aware that this technique can affect users who are not sending spam. The sbl is a contoversial listing for this very reason. It says so right on their website FAq under: Can the SBL block legitimate email? found here: http://www.spamhaus.org/faq/answers.lasso?section=Spamhaus SBL

When it gets your main cpanel ip though, all your users are affected!! If you have a server with a lot of email accounts you may have to deal with this some day. You will not like it at all, they are very unreasonable at Spamhaus and are ignoring my emails. They will only aknowledge the data center. What little response I did get from their so-called volunteers was frankly very rude.

It is a serious situation here. After 63 hours there is no resolve for it at this time. Again all my cpanel email users are affected, even the ones with different ips.

This poses a huge threat for cpanel. I say this becasue this type of interruption makes me queston the viability of a cpanel hosting business. We all know what downtime is by now!.

Low and behold as I get to the end of this post and they have just now removed the listing after 64 hours!!

There you have it folks 64 hours of bounced emails for an entire cpanel server! Courtesy of a wreckless Spamhaus sbl listing.

This has been an atrocious experience. I hope this does not happen to more cpanel users.

Please share your thoughts about this!

Best Regards,



Jon T.

 

[Stefaans]

This type of thing unfortunately happens -- innocent bystanders paying the price when there was a spammer someone else on the same network. In my limited dealings with SpamHaus, they have been extremely co-operative on removing IPs from their blacklists. Ultimately, it is up to your data centre to work at keeping their network clean of spammers and maintaining a good relationship with SpamHaus.

I am glad your problem is solved. I understand the frustration you must have felt.

 

[nyjimbo]

I still do not see how this is related to Cpanel. Why not post this on something like Webhostingtalk.com about spamhaus unfair practices instead.

Many hosts worldwide have had their IP's listed on various spam rbl lists for much longer than you and just like you, have had the problem resolved. I myself have been listed on SORBS and SPAMCOP as well as on roadrunner, AOL, ATT and other rbl's and I am sure most other long time hosts here have experienced it as well.

This is an issue between spamhaus and your isp/hosting provider and not a cpanel issue. It appears you are trying to get Cpanel users to stop using Spamhaus because of your incident, which I think is pretty ridiculous when you consider how important Spamhaus is to the internet community that has few other choices as good and reliable as Spamhaus to protect our servers from being overrun by spam.

 

[tooky]

sbl blocklistings are the specific problem

Mainly, I disagree with sbl block listing policy. I would like to eliminate the problem I had for other users. Perhaps they'll listen to cpanel because they sure didn't listen to me.

I believe it is a cpanel issue because cpanel hosts provide email to their customers. When an ip is listed in this way, the owner of the ip has no recourse to amend the problem. Only the data center can respond in this type of listing. So a typical cpanel user is not going to be heard by Spamhaus even if his ip is not the offending ip.

The ip was listed in a net of ips. I'm sure Spamhaus didn't mean to do it, but they did. I understand it has something to do with a /28 or a /30 or/32 at the end of the listing. Mine was a /28. It is a known controversial practice. It says so on their website in the sbl faq!

I was totally hozed and in the future this is going to happen to other cpanel users you will see!!

They did nothing to help me to correct the situation for 64 hours. They ignored my support requests!! I feel that is really bad business. They have to be more careful and responsive! Too much is at stake, we don't have to put up with it.

They should not be allowed to create blocklistings of this sort.

Perhaps someone at cpanel could ask them to stop doing that, or us as a forum could request it..

Cheers,

Jon T.

 

[tooky]

btw sorry for posting in the wrong category, that was an accident. my nerves are shot from all this. feel free to move it if anyone knows how.

We do run cpgs too though! It's really great I really like it. We use it for UT04 vctf. If anyone ever needs any help with getting it running feel free to contact me.

all the best,


Jon T.

 

[mctDarren]

I believe it is a cpanel issue because cpanel hosts provide email to their customers.

That would make it an AOL issue too. And a Yahoo issue. And Gmail. Level 3, Cogent, Verizon, Comcast, MSN, Earthlink in the U.S. Sympatico, Rogers, Shaw, Pipex, Easynet, Tiscali, Fido... well, that's all off the top of my head. That's probably 1% of the ISPs out there? :p

I feel for you and I apologize for the crassness of the above. But it's everyone's issue. It's happened to a client of ours just recently and to me personally on my own box once before. My point is if the negatives out-weighed the positives no one would use it and Sorbs, Spamhaus and the lot would all go the way of the Dodo bird. But they haven't, so it might just be working more often than not.

This is the perfect opportunity to talk to your provider and ask them if they have an action plan for this sort of thing in the future. Make them understand you are not happy with what happened. If they are quick to act and develop a reputation as a company who is against this sort of abuse, maybe next time it won't take three days to get de-listed. That's really all you can do.

 

[tooky]

thanks for your thoughts, this has been a very stimulating thread.

I still say it is a cpanel issue and here's why:
I never would have been providing users with email if I wasn't a cpanel user! I became a web host based on the functionality of cpanel. Other cpanel users need to be aware of these types of problems when they decide to go into the web hosting business. I'm much closer to throwing in the towel on my hosting business after this incedent. That would be $35 a month less for cpanel if I did. My guess is that the folks at cpanel don't want to lose small hosting companies to problems like this.

At one point I was even considering changing the main ip of my cpanel server to resolve the issue. I really had no idea whether the listing would be permanent or not. I think cpanel users may want to know how to change their main ip for the future as well.

As for convincing me that spamhaus does more good than bad...I'll never believe that after my experience with them. If it had been a clear cut case where I was listed for something that happened on my ip, I would not have complained at all. It was not a normal blacklisting please understand this.

Furthermore they are operating outside of the law here in the U.S. They've ducked a court case and have an $11,000,000 judgement against them. That coulpled with my troubles trying to amend their mistake is making it hard for me to take the Spamhaus Project seriously.

I don't like spam and I'm not condoning it in any way. I'm just stipulating that we should take action against Spamhaus in order to prevent future accidental sbl /28 listings. If they are going to blocklist innocent users, there really has to be accountability when a mistake is made! I was treated like a criminal by Spamhaus while my ip was errroneously on their list. They would not even acknowledge my problem!!

As for my data center, it took the owner personally dealing with it to get it handled. He informed me that it was irresponsible of them to use the /28 listing and they know it is. Calpop is a really huge data center, they are going to have blacklisting issues. They worked diligently with me the whole time to get this resolved.



Jon T.

 

[nyjimbo]

thanks for your thoughts, this has been a very stimulating thread.

I still say it is a cpanel issue and here's why:
I never would have been providing users with email if I wasn't a cpanel user! I became a web host based on the functionality of cpanel. Other cpanel users need to be aware of these types of problems when they decide to go into the web hosting business. I'm much closer to throwing in the towel on my hosting business after this incedent. That would be $35 a month less for cpanel if I did. My guess is that the folks at cpanel don't want to lose small hosting companies to problems like this.

At one point I was even considering changing the main ip of my cpanel server to resolve the issue. I really had no idea whether the listing would be permanent or not. I think cpanel users may want to know how to change their main ip for the future as well.

As for convincing me that spamhaus does more good than bad...I'll never believe that after my experience with them. If it had been a clear cut case where I was listed for something that happened on my ip, I would not have complained at all. It was not a normal blacklisting please understand this.

Furthermore they are operating outside of the law here in the U.S. They've ducked a court case and have an $11,000,000 judgement against them. That coulpled with my troubles trying to amend their mistake is making it hard for me to take the Spamhaus Project seriously.

I don't like spam and I'm not condoning it in any way. I'm just stipulating that we should take action against Spamhaus in order to prevent future accidental sbl /28 listings. If they are going to blocklist innocent users, there really has to be accountability when a mistake is made! I was treated like a criminal by Spamhaus while my ip was errroneously on their list. They would not even acknowledge my problem!!

As for my data center, it took the owner personally dealing with it to get it handled. He informed me that it was irresponsible of them to use the /28 listing and they know it is. Calpop is a really huge data center, they are going to have blacklisting issues. They worked diligently with me the whole time to get this resolved.



Jon T.

I'm sorry but the more you try to make it a "Cpanel" issue the more ridiculous it gets.

1) This could have happened with ANY of the RBL's, ANY OF THEM. Some of the others would have treated the issue with less concern than spamhaus has. Everyone agrees what happend to you is a big deal, but your resolution of the problem is misdirected and wont get anything accomplished.

2) Quitting hosting because of getting on a RBL shows you really dont have a thick enough skin to stay in this business. There are far more worse things than getting on a RBL for 2-3 days. Some of us spend HOURS every day just trying to protect our servers from attacks and hackers. Its a never ending war that never stops or even slows down. I cannot imagine shutting down a hosting business because of a 2-3 day smtp email blockage. We go through that ALL THE TIME. Last month one of our servers was blocked from Optonline for 5 days, we finally resolved it but it will happen again with something else.

3) Changing the main IP of Cpanel is something that is already available and has nothing to do with Spamhaus or getting listed on a RBL.

4) Remember, YOU were not blacklisted, your IP was. It's a case of being in the wrong place at the wrong time. Its like getting arrested for something you didnt do and having to prove you are innocent. Its like being blamed for something that has gone wrong at work and having to prove you didnt do it. But you took the wrong route to do it. This should have been directed at your ISP and Spamhaus, thats all.

5) Bringing up the court case AGAIN shows you are really reaching for anything. In the USA you can be sued for anything, I can sue you for emailing me. But a court has to decide if the suit has merit and then if so procedes to court trial. However if the sued party doesnt show up in most cases the defendant loses and they are found "guilty". It was stupid to sue SpamHaus in the USA, they should have been sued in their own country. Anyone with any understanding of civil law would know this suit was a waste of time, but the spammers were desperate to kill off SpamHaus. SpamHaus didnt "duck a court case". If someone sued you in another country would you pack up you and some lawyers and run off to the other side of the world and stay there for who knows how long for a bogus lawsuit. Keep in mind SpamHaus didnt lose the case on facts, they got a default judgement against them for not showing up. Now do you expect them to cut a check for $11million just because of the default ? Also remember that the $11million was not a amount the judge determined to be a fair value, it simply was what the lawsuit amount was for. I sue you for a $1000, you dont show up, I win the $1,000, end of story.

6) You say you were treated like a criminal. WRONG, you just had your IP blocked and your ISP/HOST should have addressed the issue with you. I doubt SpamHaus even knew you existed, they blocked you by IP, not domain name.

7) You want us to "take action" against SpamHaus. Ok, what happens when SPAMCOP does this, then AOL, then ATT, then all the others. What action do you think we should take?. Let me guess, drop SpamHaus as an spam RBL, right ?. Ok, if they are currently protecting 1,253,873,000 mailboxes world-wide why should we drop them because of you?. I can go to any of my servers right now and see the thousands of emails being blocked by spamhaus, njabl, spamcop and others and my customers love me for it. If I turned off spamhaus I can assure you I would begin losing customers very quickly.

Why not just come to the realization that you got caught in the middle of something ugly, it was resolved in a couple days and life goes on. Besides, since you are on a "troubled" network this is likely to happen again with SpamHaus and maybe other RBL's and you still havent figured out what to do. Trying to get Cpanel users to "take action" against SpamHaus for this type of situation isnt going to accomplish anything. Ask your ISP for more info on what can be done in the future, if they blow you off then its probably time to move your hosting elsewhere.

 

[jenlepp]

As for convincing me that spamhaus does more good than bad...I'll never believe that after my experience with them. If it had been a clear cut case where I was listed for something that happened on my ip, I would not have complained at all. It was not a normal blacklisting please understand this.

nyjimbo said almost everything that I would have loved to say but was too in awe of the arguments to formulate a respond.

He's right. Everyone's dealing with this - big, small, huge corporate ISPs and little tiny ones. It's become just part of the business. I can remember ten years ago when I would get a spam complaint, I would totally panic - I mean, like, alarm bells would go off and my breathing would get heavier and I would even get that "going to the principals' office" feeling in my stomach. I'd totally freak it.

It's 10 years later, and I don't like it, but it's now just another daily part of my job.

The fact is, though, I do what they do with Chirpy's firewall - when that option came to firewall out netblocks, I took it. Is it fair to netblock? Probably not. But then again, this is the Internet, these are my servers, and life ain't always fair. Yeah, when you're in the wrong place at the wrong time, it does suck - but it's part of the nature of the beast these days. There's threads on here about Yahoo bit bucketing email without domain keys, people fighting with the SPF records so the mail will go through, having to suspend sender verify on this one but not that one, people hating this feature, people loving this one...

It's all a cost-benefit ratio. Right now, it benefits me to use the RBLs because my servers run better when 40,000 spams a day are tossed at the handshake, because they'd be crippled under the 60,000 emails a day when 20,000 are good and 40,000 are spam. It just a cost-benefit ratio and nothing's perfect, and sometimes, you're the one behind the eight ball.

But that's the way this industry is now, and you suck it up and learn how to handle it as efficiently as possible, or you rail against things that simply aren't going to change - and this is one of those things that, IMO, simply aren't going to change.

 

[tooky]

ok cpanel users,

i hope you read that last post becasue the truth is you are going to need be thick skinned to run a hosting company with cpanel.

You are saying it is ok for them to wrecklessly blocklist innocent ips when they could be more careful when they make this type of listing. Are you advocating we just put up and shutp about these controversial sbl listings?

why cant each ip be listed seperately? each ip is different so why not have a unique listing for each one. At least then the owner of the ip could defend himself. Im convinced, they can do it in a better and more responsible way.

These guys took my request to be de-listed and sent it to the abuse dept. at time warner!! Time warner is who I use for my isp at my home office. That was malicous and aggressive. That is what I mean by being treated like a criminal.

Their organization wrongfully interferd with my business, don't expect me applaud them. It could have been avoided, so why wasn't it?

If we all agree that blocklisting is wrong, what are we discussing here?

 

[nyjimbo]

i hope you read that last post becasue the truth is you are going to need be thick skinned to run a hosting company with cpanel.

There is no truth to that statement at all. I have been a bbs sysop, dialup isp and web hosting provider going back to the mid 1980's. If anything, Cpanel has given the opportunity for anyone to run their own webserver with very little knowledge of the complexities of the underlying system.

 

[jenlepp]

If we all agree that blocklisting is wrong, what are we discussing here?

Well, you seem to be venting and attempting to incite cpanel itself or cpanel users to do some kind of mass boycott, or pound down Spamhaus's door and make them change. Or something. I think.

My guess is neither of those things is going to happen because for one, most of us aren't paying Spamhaus for the use of their work even though a lot of us are benefiting from it greatly (and, in fact, cPanel recently added the ability to use it without having to code it in yourself so presumably, lots of people asked for it).

Second, most of us are not paying Spamhaus (I know, it was number 1, too, but its a different point) - we're not their clients, we don't pay them money, and when we have no direct relationship to the company accept to use or not use their stuff free, they have absolutely no incentive to care one whit what we have to think about what they do.

Third, I don't see where everyone is up in arms over netblocks. There's a reason for it, and a purpose to it, and yes, sometimes mistakes happen. You deal with it like anything else in this industry.

I do wonder, though, with as aggressive as you've been here trying to make your point exactly what your email looked like to them when you attempted to get this dealt with. You seem to be taking what the owner of of your NOC said (They shouldn't have done that) as gospel and running with the assumption that everyone would agree with him, and you.

None of us know exactly what happened, or why you were blocked - so none of us, frankly, can make any judgment regarding what they did. We know in general what you claim happened (and only in the most general of terms), but you've posted a whole lot of hyperbole without any documentation or specifics regarding what happened, and you're blaming companies that have nothing to do with what happened to you (cPanel) simply because they somehow induced you to offer mail by providing the ability. It's amounted to "They suck - cPanel should stop it."

I've got some sympathy for your situation - but with all this, frankly, you've not influenced me in any way to join you in storming the castle. Spamhaus still does me way more good than harm. And 64 hours is way faster than AOL unblocks.

 

[tooky]

take a look at the listing you will see my ip in the rdns 208.70.78.94:


page carefully.
It contains the
reason for the
listing and who
to contact about it. Ref: SBL64224

208.70.78.80/28 is listed on the Spamhaus Block List (SBL)

10-Apr-2008 08:07 GMT | SR02

anonymized spam sources

208.70.78.85 mail.pitufamar.com 2008-03-25 2008-04-07 5/10 0/10
208.70.78.87 mail.quiquebas.com 2008-03-28 2008-04-05 5/10 0/10
208.70.78.89 mail.xanduzen.com 2008-03-31 2008-04-01 5/10 0/10
208.70.78.91 mail.winteraire.com 2008-03-27 2008-04-02 5/10 0/10
208.70.78.92 mail.pitremis.com 2008-04-03 2008-04-04 5/10 0/10




Received: from mail.pitremis.com (mail.pitremis.com [208.70.78.92])
by ...
Date: Thu, 3 Apr 2008 x -0400
From: "Working women" <[email protected]>
Subject: Online Degrees for Busy Women

Payload at pitremis.com redirects through to:

Domain Name: DEGREESFORWORKINGMOMS.COM
Registrar: NETWORK SOLUTIONS, LLC.
Whois Server: whois.networksolutions.com
Referral URL: http://www.networksolutions.com
Name Server: NS1.LNHI.NET
Name Server: NS2.LNHI.NET
Status: clientTransferProhibited
Updated Date: 07-dec-2007
Creation Date: 15-nov-2007
Expiration Date: 15-nov-2008

Registrant:
WCS
157 Yesler Way
Suite 200
Seattle, WA 98104
US

Domain Name: DEGREESFORWORKINGMOMS.COM

Administrative Contact, Technical Contact:
WCS [email protected]
157 Yesler Way
Suite 200
Seattle, WA 98104
US
206-812-4653

Record expires on 15-Nov-2008.
Record created on 15-Nov-2007.
Database last updated on 10-Apr-2008 04:02:07 EDT.

Domain servers in listed order:

NS1.LNHI.NET
NS2.LNHI.NET 65.36.160.56




Domain Name: PITREMIS.COM
Registrar: SPOT DOMAIN LLC DBA DOMAINSITE.COM
Whois Server: whois.domainsite.com
Referral URL: http://www.domainsite.com
Name Server: NS1.DOMAINSITE.COM
Name Server: NS2.DOMAINSITE.COM
Name Server: NS3.DOMAINSITE.COM
Name Server: NS4.DOMAINSITE.COM
Status: clientDeleteProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 31-mar-2008
Creation Date: 31-mar-2008
Expiration Date: 31-mar-2009

Domain Name: pitremis.com
Registrar: Spot Domain LLC

Expiration Date: 2009-03-31 00:00:00
Creation Date: 2008-03-31 10:10:23

Name Servers:
ns1.domainsite.com
ns2.domainsite.com
ns3.domainsite.com
ns4.domainsite.com

REGISTRANT CONTACT INFO
Protected Domain Services
125 Rampart Way
Suite 300
Denver
CO
80230
US
Email Address: [email protected]

ADMINISTRATIVE CONTACT INFO
Protected Domain Services
125 Rampart Way
Suite 300
Denver
CO
80230
US
Email Address: [email protected]

TECHNICAL CONTACT INFO
Protected Domain Services
125 Rampart Way
Suite 300
Denver
CO
80230
US
Email Address: [email protected]

BILLING CONTACT INFO
Protected Domain Services
125 Rampart Way
Suite 300
Denver
CO
80230
US
Email Address: [email protected]




rDNS:

208.70.78.85 mail.pitufamar.com.
208.70.78.86 mail.cuatroques.com.
208.70.78.87 mail.quiquebas.com.
208.70.78.88 mail.wientime.com.
208.70.78.89 mail.xanduzen.com.
208.70.78.90 mail.largosos.com.
208.70.78.91 mail.winteraire.com.
208.70.78.92 mail.pitremis.com.
208.70.78.94 cp.rocketmediahosting.net.





Removal Procedure

To have record SBL64224 (208.70.78.80/28) removed from the SBL, the Abuse/Security representative of calpop.com (or the Internet Service Provider responsible for connectivity to 208.70.78.80/28) needs to contact the SBL Team to explain how the spam problem has been terminated. If the spam problem that caused this listing has been terminated we will normally remove the listing from the SBL.

If you are a representative of calpop.com, you also need to see this:
Current calpop.com spam problems


The SBL is an international anti-spam system maintained by The Spamhaus Project and used by Internet networks to protect customers from spam sources and spam services. The SBL lists only IP addresses (not domains or addresses). If you are unable to send email due to this SBL listing, please contact your Internet Service Provider and show them this page - your Service Provider needs to contact Spamhaus to resolve the issue. (If you are not the Internet Service Provider, please do NOT contact us.)

 

[jenlepp]

So, in other words, it wasn't one site that was caught, it was 5 from the same Netblock.

Got it.

 

[ssustar52]

While I agree with your sentiment, I disagree that it has to do with cpanel at all. It wouldn't matter if you were using cpanel, hsphere, plesk, helm, any control panel, or even if you manually set everything up. I would have happened regardless. They blocked your IP, not your control panel.

I just went through the same thing with another RBL. Just be thankful they used /28 and not /24 like they did me. I really think it is a little ridiculous to use a /24 unless at least 50% of the ips in that /24 are causing problems, but a /28 is a little more reasonable at least.

 

[tooky]

thanks for all your replies, you all make very good points. I can tell that most or all of you have more experience than me at hosting cpanel servers. This whole thing caught me really off gaurd and I had a rough time figuring out how to deal with it. It looked to me like the ip would possibly never be de-listed. And yes I've dealt with blacklistings before, but it was not a struggle like this was. I do hope this thread will help other users who encounter similar problems.

draknet's comment ""going to the principals' office" feeling in my stomach" really sums it up best!

What can I say, I guess there is nothing left to do then. I don't want to storm the castle, bring them to their knees, and force them to thank me for helping them figure out this problem. I do however think making their volunteers aware of this thread could help in an effort to stop or make more responsible blocklistings.

By the sounds of your replies, cpanel users for the most part don't mind blocklistings...even if their cpanel ip gets listed now and then. I can live with that. Let's just all hope it happens to someone else next time and that the next listing doesn't include me!

 

[gtgeorge]

take a look at the listing you will see my ip in the rdns 208.70.78.94:

Are you running a mail server at that ip? I don't show a mail server there and nothing in senderbase to reference there has been?

 

[singlephased]

Are you running a mail server at that ip? I don't show a mail server there and nothing in senderbase to reference there has been?

208.70.78.94 is not listed in the SBL

208.70.78.94 is not listed in the PBL

208.70.78.94 is not listed in the XBL

 

[tooky]

Hi,

Thanks guys!! you saw that blocklisting and immediately went to work on how to fix it... I should have posted that first!

Anyhow the listing was removed already, it took 64 long hours for that to happen.

gtgeorge:

I'm not sure what a sender base is, however there is a mail server there at that ip. Approximately 100 email accounts were affected. .I have a secondary ip and also a reseller user who has his own ip. We were both affected by the listing. Luckily I have most of my email user's accounts hosted at another data center which was not listed.

Again thank all of you for your input and concern, I hope this never happens to you!

 

[gtgeorge]

Hi,

gtgeorge:

I'm not sure what a sender base is, however there is a mail server there at that ip. Approximately 100 email accounts were affected. .I have a secondary ip and also a reseller user who has his own ip. We were both affected by the listing. Luckily I have most of my email user's accounts hosted at another data center which was not listed.

Again thank all of you for your input and concern, I hope this never happens to you!

senderbase is an email abuse database that records spam emails received from a given email server. No email server was found for that ip or domain names you provided.

Also a telnet to that ip for the mail server results are:

telnet mail.rocketmeadiahosting.net 25
Connecting To mail.rocketmeadiahosting.net...Could not open connection to the host, on port 25: Connect failed

http://www.senderbase.org/senderbase_queries/detaildomain?search_string=rocketmediahosting.net

http://www.senderbase.org/senderbase_queries/detailip?search_string=208.70.78.94