Spamhaus, without thinking, will throw a nuclear bomb on you, suspecting of involvement in spamming
Dear colleagues!
I want to talk about an amusing case that brought a week of problems in working with our company's email, but apparently not only.
Over the many years of work in IT, I've seen a lot. And lamers who give left-to-right "smart" advice with an authoritative mind and real professionals who live by the principle: I know everything, but I will not tell anyone. There are all kinds of people. But in my opinion, the main feature of a reasonable person is rationality, that is, the ability to apply reason. Tautology, of course, but that's about it.
It all started with the fact that on March 22 one of our employees complained that her letters did not reach the addressee. Our users are fairly literate, so she supported the complaint with the Mail Delivery System, a quint-essence of which:
Well, that didn't scare me, but it surprised me. We are, so to speak, "considered." Of course, it is understandable that the virus or a Trojan on the network, and the incorrect configuration of the mail server, can be to blame, but nevertheless it should start with reading the entry in the Spamhaus system. The address of our SMTP server was found in the record Ref: SBL133720. After reading it, I was stunned. I myself used SpamCop and Spamhaus systems many times, relying on the fact that there are these very reasonable people who want to beat spam, or at least reduce its number. But this ... The record read:
')
Network addresses do not change.
This was followed by the listing of all IP networks allocated to our provider and included in AS31430. Thus recorded in spammers was just an uncountable number of people. Scale. The administration of Spamhaus apparently broke down. In essence, I was charged with “entering” the provider’s network, and he (the provider) was charged with BGP routing with a standalone hoster system, which was considered literally the world's largest cybercrime nest.
Natural paranoia. Where is Rome, and where is Crimea. It may be easier to immediately ban the use of mail, and suddenly there is spam or something worse.
In this post, there was still a lot of information about the “uncovered” botnets and spam nodes in IQHOST networks. I will not post this water here. Whoever has the desire, I can send a screen.
Boiling a perturbed mind, I wrote a letter to sbl-removals detailing the situation. By this time, users complained of hail. The robot in Spamhaus accepted my application instantly, which was confirmed. But there was no response to the application. And the next day the problems continued. Calling the provider and specifying that they also take action, I decided to find a detour. Ask employees with problem recipients, send a request to the IT staff of the addressee companies by phone to add us to the white lists (well, what a normal admin will enter something in the white-list who knows) or contact me so that I can clarify. What was my surprise when no one wanted to at least listen to the explanation. Motivation of the type - “you are guilty, solve your problems on your own” and encouraged me to write this long story.
Friends, colleagues! Trusting a certain technology do not forget to think for yourself, suddenly those who manage this technology did not think about the consequences of their actions. Everybody is mistaken! Someone less, someone more often. But to solve, if desired, you can almost any problem.
PS
In conclusion, I will add that only after joint actions of IQHOST and TEL (well, and possibly mine), this record was removed from Spamhaus base. But it happened only on March 26, after four days.
Perhaps here, on Habré, there are people from TEL or IQHOST who are familiar with the details of the correspondence with Spamhaus and will be able to add details.
I want to talk about an amusing case that brought a week of problems in working with our company's email, but apparently not only.
Over the many years of work in IT, I've seen a lot. And lamers who give left-to-right "smart" advice with an authoritative mind and real professionals who live by the principle: I know everything, but I will not tell anyone. There are all kinds of people. But in my opinion, the main feature of a reasonable person is rationality, that is, the ability to apply reason. Tautology, of course, but that's about it.
It all started with the fact that on March 22 one of our employees complained that her letters did not reach the addressee. Our users are fairly literate, so she supported the complaint with the Mail Delivery System, a quint-essence of which:
host xxx.xxx.su[1.2.3.4] said: 550 5.7.0 Your
server IP address is in the SpamHaus SBL-XBL database, bye (in reply to
RCPT TO command)
Well, that didn't scare me, but it surprised me. We are, so to speak, "considered." Of course, it is understandable that the virus or a Trojan on the network, and the incorrect configuration of the mail server, can be to blame, but nevertheless it should start with reading the entry in the Spamhaus system. The address of our SMTP server was found in the record Ref: SBL133720. After reading it, I was stunned. I myself used SpamCop and Spamhaus systems many times, relying on the fact that there are these very reasonable people who want to beat spam, or at least reduce its number. But this ... The record read:
')
Ref: SBL133720
217.147.31.0/24 is listed on the Spamhaus Block List (SBL)
2012-03-22 11:37:53 GMT | SR04 | tel.ru
Spam and cybercrime host: iqhost.ru (AS52201 >>> AS50465)
LLC "TC TEL" routing to cybercrime hosting operation at iqhost.ru. One of the worst in the world.
www.cidr-report.org/cgi-bin/as-report?as=AS50465
AS50465 IQHOST IQHost Ltd
Adjacency: 2 Upstream: 2 Downstream: 0
Upstream Adjacent AS list
AS34221 QL-AS JSC QUICKLINE
AS52201 TCTEL LLC "TC TEL" (AS31430)
Network addresses do not change.
This was followed by the listing of all IP networks allocated to our provider and included in AS31430. Thus recorded in spammers was just an uncountable number of people. Scale. The administration of Spamhaus apparently broke down. In essence, I was charged with “entering” the provider’s network, and he (the provider) was charged with BGP routing with a standalone hoster system, which was considered literally the world's largest cybercrime nest.
Natural paranoia. Where is Rome, and where is Crimea. It may be easier to immediately ban the use of mail, and suddenly there is spam or something worse.
In this post, there was still a lot of information about the “uncovered” botnets and spam nodes in IQHOST networks. I will not post this water here. Whoever has the desire, I can send a screen.
Boiling a perturbed mind, I wrote a letter to sbl-removals detailing the situation. By this time, users complained of hail. The robot in Spamhaus accepted my application instantly, which was confirmed. But there was no response to the application. And the next day the problems continued. Calling the provider and specifying that they also take action, I decided to find a detour. Ask employees with problem recipients, send a request to the IT staff of the addressee companies by phone to add us to the white lists (well, what a normal admin will enter something in the white-list who knows) or contact me so that I can clarify. What was my surprise when no one wanted to at least listen to the explanation. Motivation of the type - “you are guilty, solve your problems on your own” and encouraged me to write this long story.
Friends, colleagues! Trusting a certain technology do not forget to think for yourself, suddenly those who manage this technology did not think about the consequences of their actions. Everybody is mistaken! Someone less, someone more often. But to solve, if desired, you can almost any problem.
PS
In conclusion, I will add that only after joint actions of IQHOST and TEL (well, and possibly mine), this record was removed from Spamhaus base. But it happened only on March 26, after four days.
Perhaps here, on Habré, there are people from TEL or IQHOST who are familiar with the details of the correspondence with Spamhaus and will be able to add details.
Source: https://habr.com/ru/post/141231/
All Articles