Vigilantes or Public Servants?

Monday, March 15, 2010

Wayde York


No one likes SPAM (the email variety.) Every responsible user of the Internet and surely every responsible information security professional would agree that anti-spam efforts are needed and likely should be expanded. What happens, however, when the Internet-based anti-spam agents become a hindrance to business? While there over 70 anti-spam "service providers" that live on the Internet, a handful provide most of the information to business, government and academics users. The service provided is usually a list of IP addresses from which to block SMTP or other email activity. One of the larger providers noted that their customers are "the few thousand corporations taking twice-hourly block list transfers." Most of these organizations publish block lists regarding open SMTP relays which can be used by spammers. One provider looks for email Non-Delivery Reports (bounces) that go further than local users of the email server.  In the words of one spam blocker, "A single infected machine sending spam out through a network utilizing NAT can result in blocked email from the whole LAN." To keep mom and dad from spamming, providers of home Internet access also provide their home user network range information to the spam-blockers to keep the home user from using their own email server vs. the providers'.

I know this because of the two times I've bumped into the anti-spam crowd, the last one was due to a recent attempt to build a Microsoft Exchange environment with a BlackBerry server at home for testing purposes. I have a non-commercial Internet connection, and was pleased to see email flowing. Seven test emails later, I was on at least two block lists and testing was shut down. In this case, the primary reason was that my Internet provider had listed their home user network ranges and my router fit the criteria.

The first time I ran into the spam-blockers was when I was providing tech support for a recruiting company. Obviously, a recruiting company lives on email, and when their partners and clients started getting their email to this company rejected, many hairs caught fire. This occurred at a seemingly random interval, years after this company started. Notification that we were being blocked as spammers came from clients, not from the anti-spam service providers.  This instance of blocking became a major business issue and took over a week (the first time) to clean up the mess. We had fit the "spammer" template. When a template is triggered, the anti-spammers put the "offending IP address" on a list that is distributed far and wide without notifying the alleged offender. A hero of sorts arose in all of this; it was MxToolbox. See them here. This organization gave me the information I needed to petition the spam-blockers, and provided other tools to get notified that my company was back on lists. Our "crime" was using an IP address that came from a DHCP pool at a particular Internet provider. The IP address was commercial, but that fact didn't fit into the anti-spam template. After we got off the list, we were put back on a few more times before I finally convinced 3 different anti-spam service providers that we were not spammers and the Internet provider gave us a commercial IP address.

So I ask, does building block lists of IP addresses that are "apparently" spammers and distributing this list without notifying the offending party vigilantism or service provision? I lean toward them being vigilantes. Perhaps if a mechanism was in place to warn the alleged spammer they are about to be blocked, the service would seem more friendly.  

Possibly Related Articles:
SPAM Enterprise Security
Email SPAM
Post Rating I Like this!
MxToolBox Support Thanks for recommending our website, but I think the link you meant to recommend was

Our site provides many helpful DNS tools including MX records, Blacklist, Server Monitoring and more.

Let us know if you think any tools or missing or if you have any other feedback!

dgonzalez I say a little of both.

While there are services to check if your email domain has been listed on one of many blacklists public on the internet, I am not sure if this is or can be an automatic/automate notification process. If it isn’t, then it should be and you are right. There should be some mechanism in place to notify the organization when it is being blacklisted. There is nothing more frustrating for a company than being blacklisted and being the last to know about it. I know! I have run into a similar situation like the one you mentioned. Even tougher is that some of these blacklisting services providers update their lists based on the information provided to them by organizations mail administrator, which are manually created. Which in turn means you have to contact organizations and asked to be removed which could turn into a lengthy process.

In any event there are many different layers to take into account and many different aspects to consider for an easy solution, however a solution is clearly needed.


MxToolBox Support You are correct that if there was a way you could be notified that you were Blacklisted that would be great, but you are right that it just doesn't seem feasible.

However, we do have a Server Monitoring Tool that monitors over 155 Blacklists, if your IP is Blacklisted you will receive an alert within minutes. You can follow the links to the Blacklist websites (via the "details" link or the Blacklist name) and request delisting directly from them. I also want to provide you with a link to a very handy article we posted on our blog - [url=]What Blacklists Are and How MxToolbox Helps! [/url]

This article explains how our services eliminate the problems blacklists cause and how they are oftentimes recurring and hard to permanently fix. If you can't get resolution to the problems, don't hesitate to call or e-mail me and we can discuss the problems further.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.