Avoiding Spamtrap Disasters

Nothing can derail an e-mail marketing program so quickly and completely as sending mail to spamtraps. Businesses that are new to e-mail marketing are often unschooled in the hazards of spamtraps, so today we’ll take a crack at explaining what they are and how they work, and what senders can do to avoid spamtrap disasters.

Spamtraps are e-mail addresses that, by design, look and behave in most ways like ordinary, deliverable addresses. Once they’ve been added to a list of recipients, there’s really no way for senders to tell them apart.

The difference between spamtrap addresses and ordinary recipient addresses is that spamtrap addresses are never used to opt in to mail, or to send any mail at all. Owners of spamtraps use them to collect mail from, and generate data on senders who are harvesting, e-pending, or guessing addresses (or who are purchasing lists comprised of same) and who are sending to them without any kind of permission.

Continue reading

More Spammer Performance Art

Freshly plucked from the +1 Bag O’ Fail comes another spammer web screed, whose author apparently hopes to become the locus of an organized movement to save Capitalism from the looming apocalypse that is Spamhaus, MAAWG, ReturnPath, and the ESPC.

When I first saw stopthehaus.org, I assumed it was another web site authored by longtime spammer Bill Waggoner. He created the ridiculous yourinternetbodyguard.com site, a rant about Spamhaus and SpamCop – but some cursory poking around in whois and ROKSO show that it’s actually a different spammer.

Stop the Haus appears to be the brainchild of Andrew Stephens/bulkemaildirectory.com, who are listed on Spamhaus ROKSO for harvesting e-mail addresses and reselling them to bulk mailers (and possibly for sending to the harvested lists themselves).

It contains the same flavor of frothing, aluminum foil-capped lunacy on offer at Waggoner’s site, albeit with somewhat fewer migraine-inducing grammatical errors. The new twist here, though, is the development of a set of their own “blocklists” (his incorrect usage, not mine), including a list of “spam complainers who’s [sic] complaints are invalid due to can-spam compliance”.

Because, as we all know, if it complies with CAN SPAM, it can’t possibly be spam.

Spamhaus Under Hack Attack for Outing Fake Wikileaks Site

Recently, blocklist provider Spamhaus warned that an unofficial wikileaks mirror site may be serving up malware. The site is hosted in an IP range with a long history of criminal activity, and appears on one or more Spamhaus block lists. Spamhaus had been concerned that this block might be taken as a sign by observers that Spamhaus was being coerced into blocking the redistribution of information contained on the wikileaks site.

To be clear, this wikileaks mirror has nothing to do with Julian Assange or the operators of the original wikileaks site. It may, in fact, be distributing malware to visitors to the wikileaks.info web site. Spamhaus’ only interest is to block the distribution of malware.

Spamhaus now appears to be under a sustained distributed denial of service attack as a consequence of those warnings. Spamhaus operator Steve Linford recently posted this statement for redistribution:

For speaking out about the crime gangs located at the wikileaks.info mirror IP, Spamhaus is now under ddos by AnonOps.

As our site can’t be reached now, we can not continue to warn Wikileaks users not to load things from the Heihachi IP. If you know journalists who would get this message out, please forward this message (entire) to them.

AnonOps did not like our article update, here’s what we said and what brought the ddos on us:


In a statement released today on wikileaks.info entitled “Spamhaus’ False Allegations Against wikileaks.info“, the person running the wikileaks.info site (which is not connected with Julian Assange or the real Wikileaks organization) called Spamhaus’s information on his infamous cybercrime host “false” and “none of our business” and called on people to contact Spamhaus and “voice your opinion”. Consequently Spamhaus has now received a number of emails some asking if we “want to be next”, some telling us to stop blacklisting Wikileaks (obviously they don’t understand that we never did) and others claiming we are “a pawn of US Government Agencies”.

None of the people who contacted us realised that the “Wikileaks press release” published on wikileaks.info was not written by Wikileaks and not issued by Wikileaks – but by the person running the wikileaks.info site only – the very site we are warning about. The site data, disks, connections and visitor traffic, are all under the control of the Heihachi cybercrime gang. There are more than 40 criminal-run sites operating on the same IP address as wikileaks.info, including carder-elite.biz, h4ck3rz.biz, elite-crew.net, and bank phishes paypal-securitycenter.com and postbank-kontodirekt.com.

Because they are using a Wikileaks logo, many people thought that the “press release” was issued “by Wikileaks”. In fact there has been no press release about this by Wikileaks and none of the official Wikileaks mirrors sites even recognise the wikileaks.info mirror. We wonder how long it will be before Wikileaks supporters wake up and start to question why wikileaks.info is not on the list of real Wikileaks mirrors a wikileaks.ch.


Currently wikileaks.info is serving highly sensitive leaked documents to the world, from a server fully controlled by Russian malware cybercriminals, to an audience that faithfully believes anything with a ‘Wikileaks’ logo on it.

Spamhaus continues to warn Wikileaks readers to make sure they are viewing and downloading documents only from an official Wikileaks mirror site. We’re not saying “don’t go to Wikileaks” we’re saying “Use the wikileaks.ch server instead”.


Steve Linford
The Spamhaus Project

When Blacklists Die

Update: It appears that the Fiveten DNSBL was resurrected from the dead on or about November 22nd (thanks, Al Iverson).

Blacklists have been popular targets for complaints and criticism for years. Senders complain they are too stringent and lack transparency. The anti-spam community howls with outrage when they’re not as aggressive as they think they should be.

One blacklist in particular, called the five-ten-sg.com block list, has been a thorn in the side of ESPs since 2001 – but not because lots of ISPs use the list to block mail. In fact, they don’t; the list generates too many false positives, and as my colleague Al Iverson so memorably demonstrated a few years ago, you’d get significantly better results by randomly blocking any mail from an IP address in which the number 7 appears.

The list operator is a guy named Carl Byington, and I’ve been reading what he has to say about spam and e-mail for years. He’s a smart, reasonable guy who’s always been honest about the nature of his list. He lists sources of bulk e-mail for a broad range of reasons, and he’s quick to agree with anyone who points out that his listing criteria are not useful for filtering decisions in a high inbound e-mail volume production environment. But it’s his list, and he can do with it what he pleases – and ISPs and other network operators are similarly free to ignore it.

ESPs, on the other hand, have been getting an earful from their customers about Fiveten for a long time.

When a sender runs into deliverability problems, they’ll often turn to web sites that offer to look up an IP address on a bazillion block lists all at once. In altogether too many instances, they discover they’re listed by Carl. They’ll fire off a few angry e-mail messages or phone calls to their poor, harried deliverability guy. It always seems to take a few days to explain why the listing is almost certainly not the root cause of their deliverability issue, and to redirect time and energy back to the real issues.

This weekend, Fiveten went dark. On Friday, any lookup at the site yielded a response reading “blackholes.five-ten-sg.com has been retired.” As of this writing, the domain doesn’t answer at all. Carl hasn’t provided any public explanation for his decision to decommission his list, and he really doesn’t have to. No one has to pay money to use his list, and maintaining a list takes more time, energy and resources than most folks realize. I suspect Carl simply ran out of one or more.

Senders have a love-hate relationship with blacklists; they do a good job of keeping the deluge of pill spam, virus and malware messages at bay, and are an important reason why e-mail remains a viable channel for marketing and commerce. But when senders find themselves at the pointy end of a listing, it’s easy to understand why they may find themselves unable to muster much sympathy. They often feel as though the listing must be capricious, or even malicious.

The demise of Fiveten demonstrates that, contrary to all the complaints over the years, block lists as a category generally are not capricious. It turns out that market forces are as immutable for block lists as for any business, and block lists operators are just as answerable. Over-aggressive listings are not useful to ISPs, because they tend to generate false positives by blocking wanted mail. When a list isn’t useful anymore, ISPs stop using it, and it goes away.

Blacklists will continue to exist and operate much as they always have, and I predict that both senders and anti-spammers will continue to complain about them just as loudly. If either side were to stop – well, that’s when I’d start to worry whether blacklists are still doing a good job.

Reply-All: Lumber Cartel (TINLC) Edition

Back in the day, a spammer who found himself on the wrong side of an e-mail block list publicly asserted in all seriousness that anti-spam activities are funded in secret by a shadowy cartel of lumber producers who were seeing their margins from paper production erode as marketers made the shift from postal junk mail to e-mail. It became a sort of running joke in the usenet newsgroup news.admin.net-abuse.email. One of the straw arguments frequently mounted by spammers to justify their business model was the environmental friendliness of e-mail. We now have a credible estimate of the carbon foot print of e-mail: about 135kg per user, annually – or the equivalent of a 200-mile drive in a car. Turns out e-mail isn’t all that green.

Facebook this week announced three more spam-related lawsuits, and among the defendants they’ve named is a guy named Steven Richter. A bunch of blogs and media outlets assumed this is the same Steve Richter, who is the father of spammer Scott Richter and president of his son’s company Media Breakaway, LLC. The company was quick to respond with a press release, pointing out that the named defendant is actually a different Steve Richter.

ISPs who use SORBS blocklist data for e-mail filtering woke up one morning two weeks ago to discover that they were unintentionally blocking mail from great swathes of the Intarwebs, including Yahoo!, Apple, and Google Groups. SORBS operator Michelle Sullivan at first claimed they were the target of a massive DDOS attack, but later disclosed that they had inadvertently placed a bunch of historical block list entries in their current listings database during a server migration. Oy.

Just in time for Halloween, notorious spammer (and unintentional comedian) Bill Waggoner has risen from the grave with the launch of yourinternetbodyguard.com (you may want to mute audio before you click through). His new site solicits contributions to be used (somehow) against Steve Linford of Spamhaus and SpamCop founder Julian Haight (never mind that Haight hasn’t had a thing to do with SpamCop for years).

Reply-All: The Week That Was

Welcome to the first installment of Reply-All, a semi-regular/whenever-I-feel-like-it look back at the week in Deliverability:

Hope to see you all here next week!

Spamhaus lists Google

I’m sitting at my desk sipping first coffee of the day when a colleague floats a message over the transom of an e-mail related listserv with the subject line “Spamhaus now listing Google Outbounds”. Colleague owes me a new keyboard.

It does appear that Spamhaus is listing fifteen different Google hosts. However, Gmail users shouldn’t be reaching for their torches and pitchforks just yet. It does not appear that any machines that actually handle mail for Gmail are listed.

Instead, Spamhaus is listing a basketful Google Docs machines for their long history of hosting images and redirectors for the associated Canadian Pharmacy ROKSO listing.

Will Google notice? That really depends on whether any Google customers notice. Stay tuned.

Block Lists and the Death of a Thousand Cuts

Author’s Note: Since this writing, block lists operated by SORBS have had a pair of spectacular, catastrophic failures resulting in the inadvertent and wholly spurious characterization of enormous chunks of the Internet as sources of spam, or dynamic IP space, or both. Poor infrastructure planning and operational security precluded a graceful recovery; in fact, it was nearly a week before operations returned to normal. As such, use of GFI/SORBS as a reliable source of data on production mail servers is deprecated. My colleague Steve Atkins at Word to the Wise provides an exhaustive review of the problems leading up to and exacerbating the failures, and summarizes them neatly.

If you’re sending high volumes of e-mail, sooner or later you’ll find yourself on a block list. It doesn’t matter that all of your list segments are quadruple opt-in; like death and taxes, it’s inevitable. The secret to surviving (and correcting) a listing is to be ready before it happens. Here’s what you need to know now, before you find yourself listed.

Stay Cool. No one ever got a listing removed by screaming down a phone line or threatening legal action. Don’t expect (or demand) a good customer service experience from a block list – you are not their customer.

Block Lists Don’t Block Mail. In the initial panic following the discovery of your listing, it’s easy to forget that block lists don’t actually block any mail; it’s your recipients’ mail servers that do all the blocking. The filters used by many ISPs and companies reference data from block lists, reputation scoring firms, and especially feedback from their customers to inform their filtering decisions. If significant numbers of your recipients are reporting your mail as spam, stop worrying about the listing. It’s time to take a hard look at your list hygiene, acquisition and sending practices.

Some Block Lists Matter More Than Others. The vast majority of public block lists don’t matter at all. There are plenty of web sites that offer to look up your sending IP on hundreds of lists all at once, but unless you’re listed on one of only about a half-dozen, you probably have nothing to worry about.

So which are the ones worth worrying about? Any of the lists operated by Spamhaus.org, the CBL, URIBL, CloudMark CSI, SpamCop, Barracuda Central, and sometimes SURBL and SORBS. The cast of characters changes a little from time to time, but these are usually the heavy lifters.

Different Lists Do Different Things. A listing on the Spamhaus SBL means something very different from a listing on URIBL, which is entirely different again from a listing on Spamhaus PBL. Only one of these (SBL) is a list of suspected spam sources. The URIBL lists domains that appear in spam. The PBL is a list of IP space from which unauthenticated e-mail is not supposed to be sent. Don’t assume you’ve been listed because someone thinks you’re sending spam; make sure you understand the reason for your listing before you waste time fixing a problem you don’t have.

Many Block Lists are Automated. Some block lists operate with as little human input as possible. The URIBL is a good example. It automatically adds the domains it sees in the links contained in spam, so that users of the list can block mail based on presence of those domains. The good news is that delisting is pretty straightforward – just submit a short request on their web site. But expect the listing to be reinstated automatically if it sees more spam that contains links to the offending domain.

Avoid the Death of A Thousand Cuts. The most dangerous block lists are the private, home-grown lists created and maintained by IT professionals at the companies you’re sending to.  These lists are unpublished, unqueriable, and are controlled by harried mail administrators who don’t have time to check every few weeks to see if it’s okay to delist you.

Once you land in one of these lists, the effect is very localized, but extremely difficult to reverse. Land in enough of these lists, and you’ll notice significant deliverability problems with your target niche – the death of a thousand cuts. Ironically, one of the benefits of the large, centralized block lists for senders is that it takes just one delisting to get mail unblocked across great swathes of the Internet. It’s a lot easier than contacting every domain you send to, one by one.

Block lists seem a lot less scary once you understand how they’re assembled and used. If you find yourself listed, keep calm, find out why, and gather the data together you need to fix it.