GoDaddy’s spam filter is broken

GoDaddy is rejecting mail with URLs that appear in the Spamhaus PBL. As this thread on the Amazon EC2 forum notes, this is creating false positives, causing nonspam mail to be rejected. Here’s what GoDaddy reportedly said about this policy:

Unfortunately, our system is set to reject mails sent from or including links listed in the SBL, PBL or XBL. Because the IP address associated to [REMOVED] is listed in the PBL, any emails containing a link to this site will be rejected. This includes plain-text emails including this information.

If this is true, it’s utterly broken.

Spamhaus explicitly warn that this is not to be done, on the PBL page:

Do not use PBL in filters that do any ‘deep parsing’ of Received headers, or for other than checking IP addresses that hand off to your mailservers.

And more explicitly in the Spamhaus PBL FAQ:

PBL should not be used for URI-based blocking! Consider the false positive potential: legitimate webservers hosted with services such as dyndns.com or ath.cx! Or consider that ISPs and other networks are encouraged to list any IP ranges which should not send mail, and that could include web servers! Use SBL or XBL (or sbl-xbl.spamhaus.org) for URI blocking as described in our Effective Spam Filtering section. Use PBL only for SMTP (mail).

Critically, the PBL now lists all Amazon EC2 space, since Spamhaus interpret Amazon’s policy as forbidding email to be delivered via direct SMTP from there. (Note — email, not HTTP.)

With this filter in place at GoDaddy, that now means that if you mail a URL of any page on any site hosted at EC2 to a user of GoDaddy, your mail won’t get through.

Note: this is much worse than blocks of SMTP traffic from EC2. In that case, an EC2 user can relay their legit SMTP traffic via an off-EC2 host. In this case, there is no similar option in HTTP that isn’t insufferably kludgy. :(

This entry was posted in Uncategorized and tagged , , , , , , , . Bookmark the permalink. Both comments and trackbacks are currently closed.

5 Comments

  1. Posted August 30, 2008 at 22:24 | Permalink

    Very interesting. The sad part is that blocking based on blacklists doesn’t really cut spam down that much. I used to run really aggressive blacklisting and still got a ton of spam… and lost a bunch of legitimate e-mails (including a job offer that was dropped on the floor because their mailserver’s host was blacklisted). After turning the IP-based blacklists off and letting SA do its thing, I got about the same amount of spam but didn’t lose any legitimate e-mail. That’s the best I can ask for :)

    I wonder why GoDaddy is thinking. Their customers still get flooded with spam, and now they can’t get their legitimate e-mail either. How is that helpful for anyone?

  2. Chefs Pro
    Posted October 16, 2008 at 01:08 | Permalink

    We are having extreme problems with Godaddy’s blocking tactics. For about a week we have received almost no mail and all we do receive ends up in the Bulk folder. Our clients are complaining, and we are frantic. With a complex system built up in Godaddy, we are reluctant to install some kind of Googlemail or even change mail servers, but we are at our wit’s end. A search for “Godaddy blocking mail” brings up a wealth of similar complaints. As with outs, some senders never receive a notification of a bounce, so believe that the mail has arrived. We have no idea what or how much we have lost due to their paranoia.

    I am now seeking an alternate mail server. We are oddly fairly satisfied with the hosting service.

  3. Jeff Sampson
    Posted October 20, 2009 at 22:28 | Permalink

    GoDaddy has now apparently switched to http://www.senderbase.org/

    Most of the messages from Yahoo Groups has been bouncing for two or three weeks now.

    The error message received is related to our email filter software, which blocks possible compromised servers from accessing our system. It primarily blocks incoming connections from IP addresses listed on http://www.senderbase.org/ (also blocks our own “spammer” database).

    The email sender must go to http://www.senderbase.org to ensure that the server IP address being used to send the message is not listed. To determine the IP address that a server domain name points to, (also known as its “A-Record”) you may use any one of a number of free DNS lookups available online. We recommend using your favorite search engine to locate one to use.

  4. Meg Loven
    Posted October 28, 2009 at 15:37 | Permalink

    I hear you on these problems! As a small business owner, I can’t afford to miss emails, and GoDaddy’s spam filter is causing me problems. Up until 2-3 weeks ago, life with GoDaddy was wonderful. Now I am also frantic–how can I run a business when my customers can’t reach me by email?

    Please GoDaddy–I know you’re listening. Pay attention and fix your issues! Hosting service has been great, but email is a REAL problem.

  5. Posted November 3, 2009 at 14:09 | Permalink

    I spend a lot of money hosting my sites on GoDaddy. However, this issue is afflicting me as well, and so now I’m searching for alternatives. It is simply not acceptable for them to be rejecting emails unbeknownst to me. For example, I just missed out on some critical communications with a consultant because of this.

    Wake up GoDaddy!!! You are loosing business.