Spamhaus: abuse and blackmail

How the world's most famous spam blocking service really got the work done

by Andrea Gozzi (asgozziATgbhtechDOTcom)

Notice

While reading this page, please keep in mind that I use the Spamhaus DNSBLs myself!
I think they provide a great service and do a great job by keeping lots of spam out of our precious mailboxes.

I decided to publish this report after a lot of thought (the facts took place in September 2008) because I believe the way Spamhaus handled the situation through blackmail and threats is despicable. They clearly abused their position should have acted in a totally different way.

About Spamhaus

If you have managed/worked with a mail server in the last few years, you certainly know all about The Spamhaus Project (http://www.spamhaus.org) and their widely used DNS-Blocklists.

According to Wikipedia, Spamhaus is

" (..) a volunteer effort founded by Steve Linford in 1998 to track e-mail spammers and spam-related activity (..)"

and

"(..) [Spamhaus] is responsible for three widely used anti-spam DNS Blocklists (DNSBLs) — the Spamhaus Block List (SBL), the Exploits Block List (XBL), and the Policy Block List (PBL). Many internet service providers and other Internet sites use these free services to reduce the amount of spam they take on. The SBL, XBL and PBL collectively protect over 1.4 billion e-mail users (..)"

What Spamhaus basically does is add a host, IP or subnet considered a source of spam to its list. As soon as a that same source is added to the list, every mail server implementing the DNS-Blocklists will either discard or reject any email message coming from it.

The three lists work as follows:

SBL - The SBL contains IP addresses that are controlled by known spammers.
XBL - The XBL contains IP addresses of virus-compromised computers that are sending spam.
PBL - The PBL contains IP addresses that should not be delivering unauthenticated SMTP email to any Internet mail server except those provided for specifically by an ISP for that customer's use.

Since we can all make mistakes, such as a mis-configured email server, Spamhaus also provides a removal mechanism for the host, IP or subnet in question.
If you ended up in the XBL or PBL, it's pretty easy to be de-listed. Just fill the online forms and in a couple hours you'll be removed.

Getting out of the SBL is another story.
The only way to be de-listed is through intervention by your ISP or the netblock owner. They have to contact Spamhaus directly and make them a bunch of promises (read here: http://www.spamhaus.org/faq/answers.lasso?section=Spamhaus%20SBL#137) in order to have the host, IP or subnet removed.

About me

There's not really that much to say :)
I am a computer enthusiast and, since being displeased by most of the dedicated servers offers around, have been running my own servers at home for the last couple years. I used to have an enterprise plan from a Belgian ISP, the Brussels-based VOO (formerly Brutele SC), since 2003 and always been pretty happy with it.

Around mid-August 2008 I discovered Spamza.com. I was immediately intrigued by it.

About Spamza

What Spamza basically did was let anyone subscribe anybody to all those commercial mailing-lists that do not require double opt-in . There have been various claims about the how many mailing lists the email address was getting subscribed to, but (having seen the code myself) the real number was around 90.

A better and more accurate description of Spamza can be found here or here.

Since you could enter any email address you wanted, Spamza was greatly abused. Most people used Spamza to clog other people's mailboxes and force them to spend hours manually unsubscribing from every mailing-list.

By the end of August Spamza's hosting provider, 1&1 Internet Inc., had decided to terminate their account. I do not know what reasons were behind this decision but I can easily suspect a Spamhaus involvement.
In the following days the creator of Spamza, Frank L., posted a message on DIGG asking for help in finding a new place to host Spamza on. I contacted him and offered him some space and bandwidth on my server.

The facts

During the first days of September Frank worked on moving Spamza to its new location. Since the "spamza.com" domain had been registered for less than 40 days it could not be transferred to a new registrar yet.1&1 also refused to allow Frank to set new nameservers for the domain, so he had to register "spamza.org".

I do not recall the exact date but roughly by September 5th the new Spamza was up and running. To avoid further complaints Frank had set up a blacklisting system where anyone could add their email address so that it could never be subscribed using the Spamza automated system.

At this point, something has to be made clear: no email message was EVER sent from the server where the Spamza html files were located on.
I had personally set up and configured the server so it would be impossible for the HTTP daemon to transmit email messages.

On September 3rd I registered, in my name, the domain name "spamza.info" with the agreement that it would be later transferred to Frank.

First email: email from Mike Paulsen

On September 12, 2008 I was contacted via email by Mike Paulsen. He did not identify himself nor disclose his role, if he had any, in the Spamhaus organization.
This is the complete email message I received:

Subject: You're hosting the spamza spammer on your system. (note: I'm not talking about your honeypot.)
From: Mike Paulsen
Date: Fri, September 12, 2008 1:52 am

It looks like your server has been cracked.

www.spamza.org is on your server. Spamza is a spam engine. When someone
enters an email address, spamza forge-subscribes it to hundreds of
mailing lists.

It's already been kicked off other ISPs and has been listed by spamhaus.org.

You want to shut this down right away. I I were you, I'd take the server
down until you get this fixed.

I've already seen reports that the forged subscriptions are coming from
your IP (212.68.198.73).

C:\>dig spamza.org

; <<>> DiG 9.4.1-P1 <<>> spamza.org
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1195
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1

;; QUESTION SECTION:
;spamza.org. IN A

;; ANSWER SECTION:
spamza.org. 1745 IN A 212.68.198.73

;; AUTHORITY SECTION:
spamza.org. 1745 IN NS ns3.zoneedit.com.
spamza.org. 1745 IN NS ns18.zoneedit.com.

;; ADDITIONAL SECTION:
ns18.zoneedit.com. 65360 IN A 72.9.106.68

;; Query time: 62 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Thu Sep 11 19:43:31 2008
;; MSG SIZE rcvd: 109

Since my server had obviously not been cracked, I simply forwarded the message to Frank and let him deal with it.
What is interesting is that he did not address the email to the RFC2142-complaint address "abuse@spamza.org" (like he should had) but instead went through a great deal of trouble to find my personal address.

Spamhaus list entry

Exactly like Mike Paulsen had warned me, the IP address hosting "www.spamza.org", 212.68.198.73, got listed in the Spamhaus SBL on September 12, 2008.
Personally, I didn't really care. I deliver mail via an external relay located on the other side of the world, so the blacklisting didn't affect me.
Moreover, I was allocated a nice subnet of addresses by my ISP, and those were not listed. All my bases were covered.

Second email: Fabien Bels

Mr Bels is a network engineer working for VOO. He got in touch with me on September 17th to let me know that Spamhaus had contacted him regarding Spamza.
In our phone conversation he told me that being an ISP listed on the DNS-Blocklist was bad for business and he advised me to take the website down.

He did not threaten me in any way, but being at war with your ISP isn't a good thing, so I complied. I did not have control over the DNS settings for the domains owned by Frank, but I removed all the website's files.

Third email: Fabien Bels

On September 18, 2008 I received a new email from Mr Bels.
The most interesting part is the email he received from Spamhaus:

Subject: Fw: Re: SBL listing SBL68040 212.68.193.176/28 SR02 & SBL67894
From: Fabian.Bels@*REMOVED*
Date: Thu, September 18, 2008 6:40 am

Bonjour,

Je viens d'avoir des nouvelles de Spamhaus.org. (voir mail ci-dessous)
Ils considèrent que le site vp44.net est associé au site spamza.
Pourriez-vous désactiver ce site également ?

Meilleures salutations,

Fabian.

Fabian Bels
IT
*PRIVATE DETAILS REMOVED*
*PRIVATE DETAILS REMOVED*
www.voo.be

----- Forwarded by Fabian Bels/Voo on 18/09/2008 07:40 -----

From: The Spamhaus Project - SBL Removals <sbl-removals@spamhaus.org>
To: Fabian.Bels@*REMOVED*
Subject: Re: SBL listing SBL68040 212.68.193.176/28 SR02 & SBL67894
Date: 17/09/2008 20:30

Fabian.Bels@*REMOVED* wrote on Wed, 17 Sep 2008 08:34:04 +0000:

>Hello,
>
>I don't understand why this block is blacklisted.
>In your descritption of the problem, it is mentionned "voo.eu". Is this
>spam has passed through dominomail01.voo.eu or dominomail02.voo.eu ?
>The mail domain voo.eu is not used by our clients.
>I saw also that the spam has been emitted by 212.68.198.73, not
>212.68.193.176/28.

Hello,

see: http://www.spamhaus.org/sbl/sbl.lasso?query=SBL67894

The problem is spamza.[com|net|org], a service intended to harass its
victims with spam ("list bombing"). On Mon, 15 Sep 2008,
bertrand.crevin@*REMOVED* told us that the account had been terminated
and we confirmed the site was down. But later that day Spamza was back
up again on the same IP (212.68.198.73). We sent e-mail at that time
to bertrand.crevin@*REMOVED*, Cc: abuse@*REMOVED*. We received no
response and the hosting for Spamza continues at this time. We also
consider vp44.net to be part of the Spamza problem due to its direct
involvement (see "whois spamza.info"). Please let us know after all
associated accounts are terminated completely.

--
The Spamhaus Project - SBL Removals

Why would Spamhaus list enterprise mailservers that have absolutely no connection whatsoever to Spamza? Is it maybe because they noticed I had no problem with my IP address being in the SBL and they decided the only way to get my ISP's attention was by unfairly blocking their outbound mail?

Anyway, Mr Bels had been so understanding and helpful the previous day that I wanted to everything in my power to fix the situation.

Spamhaus

Myself to Spamhaus - #1

To try and get VOO's outbound servers removed from the DNS-blocklist, I emailed directly Spamhaus:

Subject: Concerning listing SBL67894, SBL68040 and ROK8343
To: sbl-removals@spamhaus.org
Date: Thu, 18 Sep 2008 08:40 am

To whom it might concern:

Dear Sir or Madam,

I am writing you as owner of the domain "vp44.net" and former host of
"spamza.org", "spamza.com", "spamza.net", "spamza.info".
Although the latter is legally owned by me, it was registered only to
provide email availability while the other domains were suspended. A simple
DSN query will show that no records are present except for the mail
exchanger.

I have been informed by Mr Bels, a representative of VOO (my ISP), that the
website "vp44.net" has to be terminated in order to resolve listings
SBL67894 and SBL68040.
The domain was originally registered on March 29th, 2007 - well before
"spamza.org", "spamza.com" and "spamza.net" were created.

You probably have been mislead by the WHOIS data on "spamza.info" showing
"Registrant Organization:VP44 Web Presence Services".
Also, the IP address both SBL listings (212.68.198.73) has a PTR record
pointing to "mail.vp44.net" but, as I am sure you are very aware of, is only to ensure RFC-complaintness.

Regarding the various "spamza" websites, they have all been terminated at Mr
Bels' request. I do not have control over the DNS and therefore cannot
delete the records pointing to my IP, but all the offending files have been
removed from the server.

On a personal note, I was very intrigued by noticing I have my very own
ROSKO listing. Sadly, I confess that I probably don't qualify for it.
I have never been terminated by any ISP/SP yet (and I don't see that
happening in the foreseeable future) so, according to your "3 strikes"
policy, I shouldn't even be mentioned. I started hosting "spamza.org",
"spamza.com" and "spamza.net" at the beginning of September, but never
received any complaint except for these unfortunate SBL listings.

Spamhaus to myself #2

Subject: Re: Concerning listing SBL67894, SBL68040 and ROK8343
From: "The Spamhaus Project - SBL Removals" <sbl-removals@spamhaus.org>
Date: Thu, September 18, 2008 9:07 am

"Andrea Gozzi" wrote on Thu, 18 Sep 2008 07:40:33 +0000:

>To whom it might concern:

Please use the correct Subject when writing to SBL Removals. You will
find the Subject embedded in the mailto link on each SBL page. Just
click the "contact the SBL Team" link. We do not process removals
without the correct Subject information.

Of course, in your case it doesn't matter as we will only be removing
listings for your ISP, not for you.

>Dear Sir or Madam,
>
>I am writing you as owner of the domain "vp44.net" and former host of
>"spamza.org", "spamza.com", "spamza.net", "spamza.info".
>Although the latter is legally owned by me, it was registered only to
>provide email availability while the other domains were suspended. A simple
>DSN query will show that no records are present except for the mail
>exchanger.
>
>I have been informed by Mr Bels, a representative of VOO (my ISP), that the
>website "vp44.net" has to be terminated in order to resolve listings
>SBL67894 and SBL68040.

All services related to Spamza need to be terminated. You chose to
associate yourself with Spamza and assist it in operating. You took
down one Spamza site, at which point we initially removed the SBL
listing, only to find that you had replaced it with another Spamza
site in a different TLD. You provided Spamza with "bulletproof
hosting", a spam support service.

>The domain was originally registered on March 29th, 2007 - well before
>"spamza.org", "spamza.com" and "spamza.net" were created.
>
>You probably have been mislead by the WHOIS data on "spamza.info" showing
>"Registrant Organization:VP44 Web Presence Services".
>Also, the IP address both SBL listings (212.68.198.73) has a PTR record
>pointing to "mail.vp44.net" but, as I am sure you are very aware of, is only to >ensure RFC-complaintness.
>
>Regarding the various "spamza" websites, they have all been terminated at Mr
>Bels' request. I do not have control over the DNS and therefore cannot
>delete the records pointing to my IP, but all the offending files have been
>removed from the server.
>
>On a personal note, I was very intrigued by noticing I have my very own
>ROSKO listing. Sadly, I confess that I probably don't qualify for it.
>I have never been terminated by any ISP/SP yet (and I don't see that
>happening in the foreseeable future) so, according to your "3 strikes"
>policy, I shouldn't even be mentioned. I started hosting "spamza.org",
>"spamza.com" and "spamza.net" at the beginning of September, but never
>received any complaint except for these unfortunate SBL listings.

No, you do not have your own ROKSO record. You have a file under Mr.
*REMOVED* ROKSO record as a partner-in-spam. In time it will be expired.

Now, what are we supposed to think about your vp55.net, or any other
network services you operate? You seem willing to assist a known 'net
abuser. Why should we trust anything you say or do? Will you be
cancelling spamza.info's registration? Why should we not ask that all
services to you be shut down, where ever you host?

--
The Spamhaus Project - SBL Removals

Spamhaus did respond promptly, which I really did appreciate. Unfortunately, I can't say the same about the contents of the message.
I can only suppose they are not used to deal with people challenging their decisions.

For starters, if they are so strict about their Subject: policy, why did they bother getting back to me?

Myself to Spamhaus - #3

Subject: Concerning listing SBL67894, SBL68040 and ROK8343
To: sbl-removals@spamhaus.org
Date: Thu, 18 Sep 2008 09:48 am

> Of course, in your case it doesn't matter as we will only be removing
> listings for your ISP, not for you.

Indeed.

>All services related to Spamza need to be terminated. You chose to
>associate yourself with Spamza and assist it in operating. You took
>down one Spamza site, at which point we initially removed the SBL
>listing, only to find that you had replaced it with another Spamza
>site in a different TLD. You provided Spamza with "bulletproof
>hosting", a spam support service.

I obviously take responsibility for that, since I was the one providing
hosting.
Unfortunately, those actions were not directly under my control, because I
never managed the DNS nor the domain registrations.

>Now, what are we supposed to think about your vp55.net, or any other network services you operate?

I can only provide you with a record of my IPs' behaviour.
The only time they got listed in a RBL was because of a widespread worm infection, and that was resolved in a matter of days.

>Why should we trust anything you say or do?

I think that is up to you. I have explained in my best words how the
situation was and how it is now.
I took down everything related to "spamza.org", "spamza.com", "spamza.net", "spamza.info" when Mr Bels requested to.

>Will you be cancelling spamza.info's registration?

If it helps resolving this unfortunate matter, I am willing to do it.

>Why should we not ask that all services to you be shut down, where ever you host?

Again, that is up to you.
I expressed my apologies to Mr Bels for the troubles I caused to the ISP's
operations by getting it listed with SpamHaus.

Best regards,

Andrea Gozzi

Happy ending

There were a couple more messagges exchanged between myself and Spamhaus in which they basically tried to make me apologize to them as if they were the WWW's "higher authority". But in the end they actually removed VOO's outbound servers from the SBL list.
The other IP address, 212.68.198.73, was de-listed a few days later.

I believe it is worth showing an extract from the last email I received from Spamhaus:

Subject: Re: Concerning listing SBL67894, SBL68040 and ROK8343
From: "The Spamhaus Project - SBL Removals" <sbl-removals@spamhaus.org>
Date: Thu, September 18, 2008 10:50 am

(...)

>I only have one last thought: I don't know what Spamhaus' policy is, but I
>usually like to know who I am corresponding to. Otherwise it's just another
>email in my inbox.

Consider us representatives of the thousands of anonymous victims of
Spamza, both receivers and senders.

--
The Spamhaus Project - SBL Removals

I was right! They do have a "higher authority" fantasy.

Final thoughts

As I stated at the beginning of this report, it took me a while to realize how unfair and abusive Spamhaus' behaviour was.
Spamhaus listed the server's IP in the SBL, but that didn't matter to me, so they went after my ISP.
At that point, one of two things happened: either somebody must have done a poor "investigating" job and ended up listing the corporate outbound servers for "voo.eu" instead of the customers' ones (very easy to find since the IP address was in BRUTELE-AS netblock) or the fight against Spamza turned personal.
I believe the latter.

This said, I admit that probably hosting Spamza wasn't a very good idea. It made somebody at Spamhaus angry and they decided they should start playing MOTU.