Anti-spam group under attack — via ICANN

[This is a copy of an article I submitted to ICANNWatch.]

Spamhaus, the UK-based non-profit that runs the SBL and XBL anti-spam DNS blocklists, is reportedly facing serious legal trouble in the US.

A US-based spam gang has started legal action to have Spamhaus’ domain name confiscated by ICANN, and reportedly, Spamhaus may have been advised badly by their US legal people; so there is now a danger that they *may* indeed lose their domain, and possibly worse.

Note that Spamhaus is entirely UK-based, bar some mirrors; however, the proposed order is aimed at ICANN, which is US-based. This is the really tricky part; can a US company kill the domain of a non-US group?

According to anti-spam lawyer Matthew Prince, ‘there may be some time before ICANN is formally ordered to shut down the Spamhaus domain, but make no mistake that ICANN’s lawyers will be considering their options beginning first thing Monday, if they haven’t already begun the conference calls tonight’ … ‘In the end, [ICANN’s] decision is likely to be much more about setting a general policy than the specific details of who Spamhaus is or why they are critical for the Internet. ICANN will desperately want to stay out of this dispute, but they are subject to U.S. law and they will probably have attorneys who will argue they need to follow it. All it will take for this to end badly for Spamhaus is one lawyer at ICANN getting a little bit spooked and Spamhaus could lose not only it’s .org but potentially any other TLD that ICANN controls.’

This is interesting — if Spamhaus is forced to close down its domains and US-based mirrors, that will mean that the SBL and XBL blocklists will be down for a while, too. Typically those are used for up-front blocking, and if my servers are any indication, they take care of 75% of incoming spam before it hits any more CPU-intensive filtering.

Without those, there’ll be a lot of sites around the net suddenly dealing with quadrupled spam volumes hitting their MTAs.

This entry was posted in Uncategorized and tagged , , , , , . Bookmark the permalink. Both comments and trackbacks are currently closed.


  1. David Malone
    Posted October 9, 2006 at 19:07 | Permalink

    Is spamhause that accurate/widely used? We recently ended up on the XBL and CBL for about 6-7 hours. The docs for CBL say that you need to send mail to one of their spam traps (which is possible) and that you have to be running an open proxy/trojan (which is highly unlikely). Unfortunately, neither the XBL or CBL people provided anywhere near enough information for me to figure out why we’d been listed, why we’d been delisted or how to avoid being listed again.

    I saw a relatively small number of bounces in that time, and no significant increase in the amount of mail queued, so I’m not sure how many people can be using it for pre-acceptance testing.

    (Mind you, it was in the wee hours of the morning at the weekend, so I guess we may just not have generated that much mail over the period in which we were listed.)

  2. Posted October 9, 2006 at 21:55 | Permalink

    yeah, it really is that accurate. SBL has had the occasional FP in my experience, but CBL/XBL is thoroughly behaviour-driven — almost never incorrect. SBL and XBL are the only two BLs I’d recommend most people use for SMTP-time spam blocking.

    funny you didn’t see many bounces, though!

  3. Posted October 9, 2006 at 22:02 | Permalink

    Is anyone actually using the current crop of DNSBLs for blocking on their own? They all get false positives —’s outgoing SMTP server is still in one DNSBL, for example. Aren’t you supposed to use them as just one input to spamassassin? Most mail that comes from a BL-ed address is spam, but most mail matching /mortgage/ is spam too.

  4. David Malone
    Posted October 9, 2006 at 22:27 | Permalink

    Are you sure it is really behaviour driven? If it is, then it isn’t the behaviour that they describe in their FAQ. Mind you, the docs are somewhat contradictory. The FAQ says:

    When mail is received to one of our spamtraps, the connection is analyzed automatically to determine if the connecting machine is either an open proxy or is running a spam-sending trojan (usually installed by a virus such as Netsky, Bagle, etc., or by a malicious web site the user has been tricked into visiting). If so, the IP Address is immediately added to the CBL and hence Spamhaus’ XBL blocklist.

    However, the intro page to the XBL says:

    Mail servers already using should NOT also use or you will be making ‘double’ queries to basically the same data source and only one DNSBL will appear to work (the other(s) will appear to not catch anything). Mail servers already using are advised to continue doing so, as is itself a composite list and contains more than the open proxy IPs list part now incorporated in XBL.

    This implies that the CBL is blindly imported, as is the the open proxy part of njabl. The CBL say they just automatically list IPs that seem to send viruses to some of their spam traps, and explicitly say that they do not probe anything or test if something is an open relay. This certainly doesn’t agree with the XBL FAQ entry.

    They don’t seem to know if it is the AND or OR of the other lists. Do you know which it is supposed to be? Based on the behaviour, it looks like OR, but then the FAQ entry is quite misleading.

    (There also seem to be a number of stories on the web of Spamhaus listing stuff manually. I guess these could have been planted by spammers, but they looked kind of genuine.)

    I guess I probably only noticed a bounces for people who were returning perminant failures, but I would have expected to see some difference in the amount of stuff queued for those returning tempory failures.

  5. Posted October 10, 2006 at 10:46 | Permalink

    Well, by ‘behaviour-driven’ I mean ‘behaving as described in the first FAQ entry you list’ ;)

    The FAQ is slightly simplifying the case for readability, I think; as far as I know, it’s not a simple matter of ‘analyzing the connection’ somehow in a passive, p0f-like manner, and neither is the server-side actively probing the client, as with open-relay tests. Instead, certain behaviours of the client during the SMTP transaction, are rock-solid giveaways that it’s a zombie. Hence, behaviour-driven.

    These are things that I’ve never heard of a “real” MTA-to-MTA SMTP connection ever doing — hence the low FP rate.

    That’s the CBL, though, which is republished with additions as the XBL — the Spamhaus SBL is driven entirely manually, on the other hand.

  6. David Malone
    Posted October 10, 2006 at 12:00 | Permalink

    OK – well, I know what it is supposed to do now! I guess somehow MMDF on salmon must have done something that the CBL code didn’t expect, or maybe someone ran some code that spoke to their server and it did something weird.

    They did mention some windows virus in their listing, but the chance of it actually conducting a SMTP session from a FreeBSD machine is rather small. Salmon doesn’t proxy SMTP or NAT for anybody. It does act as a mail relay, and certailly might have relayed a virus for one of our client hosts, but because the documentation was so vague and confused, I had no idea what to look for.

    I see that the CBL people descibe an incident on 2006/06/15 where something went wrong and they listed a bundle of machines that shouldn’t have been listed – I suppose it is also possible that something similar happened again. I wonder would it be worth them adopting the p0f based technique that you linked to recently?

    The SBL being manually driven certainly explains the stories that I read on the web.

  7. Posted October 10, 2006 at 19:52 | Permalink

    “Instead, certain behaviours of the client during the SMTP transaction, are rock-solid giveaways that it’s a zombie. Hence, behaviour-driven.”

    That’s really clever.

    (Of course now Robert tells me that we block IPs on like that too …)

    • ask
  8. Posted October 10, 2006 at 19:53 | Permalink

    oops, your weblog doesn’t like certain characters so much. :-)

    (press option-o on your mac to make the ø character¸ …)

  9. Posted October 10, 2006 at 22:07 | Permalink

    This all just goes to show that spamhaus isn’t forcing anybody to block anything. Use it if you like it, don’t use it if you don’t. It’s as simple as that.

    Why doesn’t anybody mention the fact that that story is really scary and that we all hope that the spamming bastards won’t get what they want?

  10. Posted October 11, 2006 at 13:51 | Permalink

    Ask — yeah, I know. learning enough PHP to fix it is an item on my copious TODO list ;)

  11. Posted October 13, 2006 at 17:05 | Permalink
  12. Alan
    Posted October 16, 2006 at 08:55 | Permalink

    Why don’t they apply for a .uk domain?

  13. Ross
    Posted October 16, 2006 at 12:35 | Permalink

    Spamhaus lists David Linhardt’s email address as [email protected]. May all the bots in the world harvest this address, and curse him with at least 1×10^100 Viagra/Cialis emails, 4,9×10^175 mortage ads, 9,73×10^192 porn sites and 3,8×10^125 phishing attacks. Oh, and throw in a couple of trojans too.

    If any of you are feeling a bit bored, maybe sign him up for a mailing list or two…

  14. Ross
    Posted October 16, 2006 at 12:51 | Permalink
  15. l2
    Posted October 16, 2006 at 15:53 | Permalink

    l2secure yer mailserver l2protect yer eu’s l2use yer brain

    This is the main reason why spamhaus exists

  16. bill Stanley
    Posted October 18, 2006 at 18:52 | Permalink charges a whopping $14500 per year for a blacklist they don’t even own! To verify these charges, visit this page:

    More facts:

    The XBL list that comes in the data feed is in reality the CBL list at That list is not owned by All does is copy (download) the information X number of times a day to their own servers before feeding it to unsuspecting corporations.

    The CBL list has been renamed to XBL by the very cunny(!) folk at so that no-one could possibly notice the fraud. Furthermore, is selling the rebranded CBL list which makes up over 90% of the total value of the data feed for up to $14500 pa, when anyone including corporations and ISPs can get the same feed for FREE by filling in this simple form:

    This is blatant fraud because by mixing their highly ineffective SBL list with the CBL list, Spamhaus gives the false impression of their own SBL list being a powerful spam filter. This is a marketing con, just as ROKSO is a PR ploy.

    The stark reality which has been trying to sweep under the carpet in the last 3 years is, without the CBL list would have been bankrupt by now. Without the CBL list, Steve, John et al, would not have been able to rake in hundreds of thousands of easy dollars from corporations and government institutions gullible enough to believe the PR.

  17. Posted October 18, 2006 at 19:44 | Permalink

    Bill — I’m afraid you’re talking a load of bollocks:

    1. SBL is very effective in our testing; search this weblog’s archives for “DNSBL accuracy” for figures;
    2. CBL/XBL is likewise;
    3. the fee is for rsync access for high-volume querying sites; SBL and XBL usage is free for lower volumes.

    Please take it elsewhere — you’re arguing with people who know the real facts here, and I’m not prepared to provide a venue for FUD and whatever grudge you hold against Spamhaus.