How long does it take to have IP removed from spamhaus?

groston

I moved to a VPS because I was sick and tired of having my shared providers' IP wind up on a blacklist. I felt fairly confident that by having my own IP that this would be a problem of the past.

Sadly, that is not the case.

Several days ago, my emails started being rejected. Wen I dug into the problem, I found that spamhaus.org has flagged the /24 subnet on which my server resides as "Network is hosting cybercrime, reports are ignored. Not a safe area to accept traffic from". (Just to be clear - that is not me!)

I immediately brought this to the host's attention and for the past 80 hours, they have assured me that "We are in a constant contact with SpamHaus. Trying to get this resolved. I sincerely hope it will be solved in the nearest future."

How long does it take to resolve this type of problem? Is the host being honest with me or are they blowing smoke? There seems to be little negative 'press' about the host on this site (which is why I am not naming them), so they may be telling the truth, but I am really getting impatient.

Yes, MandrillApp or Mailgun are work-arounds, but a) I really don't want them tracking all of my email and b) MandrillApp breaks outgoing Outlook calendar invites.

jar

Honestly, it depends on the size and details of the problem. SpamHaus is usually pretty easygoing if you're getting rid of the things they want you to get rid of. If you're arguing with them, well that's another story entirely, but otherwise they're fast and friendly.

You might even contact SpamHaus and ask them "Hey, is my provider legit working with you on this or lying to me about it?" They're not afraid to shame them if the latter is the case.

miTgiB

groston said: How long does it take to resolve this type of problem? Is the host being honest with me or are they blowing smoke?

Could be either, Spamhaus seems to be vindictive and retaliatory lately. Flip a coin, it's anyone's guess.

impossiblystupid

@groston said:
I found that spamhaus.org has flagged the /24 subnet on which my server resides

Why the /24? Is that the smallest subnet that SpamHaus blocks, or the largest your provider owns? Regardless of the details, escalations that involve collateral damage like this should not be taken lightly. You are known by the company you keep.

I immediately brought this to the host's attention and for the past 80 hours, they have assured me that "We are in a constant contact with SpamHaus. Trying to get this resolved. I sincerely hope it will be solved in the nearest future."

It's just not acceptable for a provider to not take action. They've placed you in a tainted IP space. Independent of any discussions they have with SpamHaus (or any other blacklists they find themselves on), they should be offering to move you to a clean space and/or credit you for services not rendered. And if they're not doing it, you should be preparing to do it yourself.

There seems to be little negative 'press' about the host on this site (which is why I am not naming them)

Makes no sense. Keeping quiet about who it is only helps them keep a reputation that they might not deserve. For everyone's benefit, shine some light on them.

doughmanes

miTgiB said: Could be either, Spamhaus seems to be vindictive and retaliatory lately. Flip a coin, it's anyone's guess.

That was my experience at the last provider I worked at. Spamhaus is like a bipolar girlfriend- sometimes she'll love you and sometimes she'll go psycho, try to burn your house down, cry and ignore you for a month

William

doughmanes said: Spamhaus is like a bipolar girlfriend- sometimes she'll love you and sometimes she'll go psycho, try to burn your house down, cry and ignore you for a month

Best SH analogy ever.

SH is a pain to deal with and depending on year and weather more or less legit at all.

doughmanes

I dealt with them daily over 3 years, last year when they start doing all the /15 SBLs is when they seemed more aggressive. Now they coughrecommend you use this paid third party SMTP filtering providercough

groston

All,

The has been no action on this matter in more than 48 hours and more and more emails are bouncing. The host in question is Cloud Shards.

Here is the report from Spamhaus - seems rather serious:

Ref: SBL281280
104.245.233.0/24 is listed on the Spamhaus Block List - SBL
2016-01-09 22:14:14 GMT | queryfoundry.net
Spammer hosting (escalation)

Network is hosting cybercrime, reports are ignored. Not a safe area to accept traffic from.

Same cybercrime gang, hosted again & again:

SBL281275 104.245.233.153 queryfoundry.net 2016-01-04 Credit card phishing domain hosting: trillionstudio.com / horisontsky.ws
SBL281180 104.251.176.207 queryfoundry.net 2016-01-03 Carding fraud site/forum: phishing/botnet server mcdumpals.su / dolabits.su / 555mir.ru / metazxc.ru
SBL280929 104.245.233.143 queryfoundry.net 2015-12-30 Credit card phishing domain hosting: trillionstudio.com / horisontsky.ws

I really do not have the time to move my VPS to another host, but I guess I need to start working on so doing.

alexnjh

@groston said:
All,

The has been no action on this matter in more than 48 hours and more and more emails are bouncing. The host in question is Cloud Shards.

Here is the report from Spamhaus - seems rather serious:

Ref: SBL281280
104.245.233.0/24 is listed on the Spamhaus Block List - SBL
2016-01-09 22:14:14 GMT | queryfoundry.net
Spammer hosting (escalation)

Network is hosting cybercrime, reports are ignored. Not a safe area to accept traffic from.

Same cybercrime gang, hosted again & again:

SBL281275 104.245.233.153 queryfoundry.net 2016-01-04 Credit card phishing domain hosting: trillionstudio.com / horisontsky.ws
SBL281180 104.251.176.207 queryfoundry.net 2016-01-03 Carding fraud site/forum: phishing/botnet server mcdumpals.su / dolabits.su / 555mir.ru / metazxc.ru
SBL280929 104.245.233.143 queryfoundry.net 2015-12-30 Credit card phishing domain hosting: trillionstudio.com / horisontsky.ws

I really do not have the time to move my VPS to another host, but I guess I need to start working on so doing.

Looks pretty serious going to be hard to delist.

Nyr

Your ISP doesn't give much fucks about hosting crap in their IP space and this has been ongoing for a long time already.

If you want to send email, use other provider.

ATHK

@CloudShards

My IP with them seems fine, what location are you in?

aglodek

@groston said: (...) I really do not have the time to move my VPS to another host, but I guess I need to start working on so doing.

Yep, sounds about right: run and don't look back!

Had same kind of case with ChicagoVPS/Colocrossing couple of years back... whole /20 or /18 blacklisted... took them months to sort it out with SpamHaus. And that listing was with respect to spam only, not alleged cyber crime!

impossiblystupid

@groston said:
104.245.233.0/24 is listed on the Spamhaus Block List - SBL

Ouch. I already have the associated /21 in my firewall, which means I was a direct target for their abuse at some point in the not-too-distant past.

I really do not have the time to move my VPS to another host, but I guess I need to start working on so doing.

If the main problem is MX, that can be solved independent of any other services you provide. One of the reasons I snapped up a cheap MXroute account is just in case I ever run into similar problems. I count myself lucky every time I send an email from my own VPS and it actually goes through. :-)

groston

Final notes:

1: Thanks to impossiblystupid, I purchased an account with MXroute and set up postfix to relay through it.

2: I received the following from Cloudshards today: This is a notification to let you know that we are changing the status of your ticket #170722 to Closed as we have not received a response from you in over 199 hours. And yes, absolutely nothing has changed - the IP range is still blacklisted.

3: When I have some spare time, I will be leaving Cloudshards. Yes, a host can occasionally take on a bad apple, but when such egregious behavior is clearly pointed out and the host fails to act, that tell you something about their (lack of) character.

doughmanes

groston said: Yes, a host can occasionally take on a bad apple, but when such egregious behavior is clearly pointed out and the host fails to act, that tell you something about their (lack of) character.

You don't understand how Spamhaus works and the private extortion they've put on companies starting about summer of last year. You'll jump to a new provider and same thing could happen.

Spamhaus occasionally "demands" (under threat of keeping the SBL active) for customer information and a host could refuse, which is understandable, and Spamhaus keeps the record up. In my handling for over 3 years at the last company I worked at, their request for customer information occurred at least once a week.

biuletech

If you want to mail why don't you get that kind of service from professionals that can offer those kind of services ?

Awmusic12635

I have been trying to get an SBL removed for a week. They simply don't reply.

miTgiB

groston said: When I have some spare time, I will be leaving Cloudshards. Yes, a host can occasionally take on a bad apple, but when such egregious behavior is clearly pointed out and the host fails to act, that tell you something about their (lack of) character.

You clearly do not understand Spamhaus and their unethical behavior

This is a client I have had for over 2 years based out of London, all their access to my billing panel is from London. I am assuming the ROKSO client signed up for shared hosting and created your concern, I've had my client lose their client.

Now, speaking about retaliatory, I beg to differ. SBL276396 is my case in point. All the related SBL listing were cleared once you actually notified me of the issue, yet this SBL listing remains active. I've been told it would remain as a place holder, if that isn't retaliatory, what is it?  I am seeing the ethics of Spamhaus becoming very questionable as of late.  When you start to get the proactive providers questioning that, your value to the community has to be damaged. Too often I am seeing emotion rule the day within your organization. There needs to be clearer procedures to have listings removed. A placeholder? That is the weakest excuse I think could be made, I know your org is capable of running a database, leaving cleared listing on an active SBL can only be retaliatory, or a desire to economically harm the recipient.

On 12/25/2015 5:54 PM, SBL Removals wrote:
> Hello, on 2015-12-25 11:41, you wrote:
>> I understand what a ROKSO spammer is, I am saying the listing you
>> provided looked fishy and retaliatory.  I've had this client remove
>> dynamixfx.com from being hosted on their VPS, can you remove the RBL
>> from my IP space
>
> We're far too busy to spend time "retaliating" against people or places, nor is it anything we'd do.  We see the spammer, see where they're hosted and publish an advisory to our users.  If a host or network has an abuse@ address set up, we send them a curtesy email.  You to them if they wish to support the abuser/abusive-behavior or not.
>
> Any Czech nexus to this one?  That area seems to be where a lot of their traffic originates from these days. 

doughmanes

Or you'll have to resolve a few SBLs on /29s to get the larger (/24 or greater) removed even when the larger SBL was issued within the past 12 hours. They make up the rules as they go along and know the impact of their SBL on sales and existing customers.

FlamesRunner

How to piss off Spamhaus:

1. Piss Spamhaus off

2. Unannounce your IP block

3. Shame them saying a unused block cannot send spam

doughmanes

That only works a few times when you announce an IP block for a shady customer

GM2015

Can someone enlighten us how much of this is true?

http://www.ripoffreport.com/r/The-Spamhaus-Project/internet/The-Spamhaus-Project-Spamhaus-Technology-Stephen-John-Linford-Steve-Linford-Geraldine-My-1144128

You guys are smart and like to be quoted, so fill us in the details.

doughmanes said: That only works a few times when you announce an IP block for a shady customer

miTgiB said: You clearly do not understand Spamhaus and their unethical behavior

aglodek said: Yep, sounds about right: run and don't look back!

Nyr said: Your ISP doesn't give much fucks about hosting crap in their IP space and this has been ongoing for a long time already.

If you want to send email, use other provider.

William said: Best SH analogy ever.

SH is a pain to deal with and depending on year and weather more or less legit at all.

impossiblystupid said: Why the /24? Is that the smallest subnet that SpamHaus blocks, or the largest your provider owns? Regardless of the details, escalations that involve collateral damage like this should not be taken lightly. You are known by the company you keep.

jarland said: You might even contact SpamHaus and ask them "Hey, is my provider legit working with you on this or lying to me about it?" They're not afraid to shame them if the latter is the case.

William

GM2015 said: You guys are smart and like to be quoted, so fill us in the details.

eh, a few % true, else likely bs.

But yea, SH is shady as hell in some things.

GM2015

And what parts of it are true?

William said: eh, a few % true, else likely bs.

doghouch

@jarland said:
Honestly, it depends on the size and details of the problem. SpamHaus is usually pretty easygoing if you're getting rid of the things they want you to get rid of. If you're arguing with them, well that's another story entirely, but otherwise they're fast and friendly.

You might even contact SpamHaus and ask them "Hey, is my provider legit working with you on this or lying to me about it?" They're not afraid to shame them if the latter is the case.

I knew that buying a /22 who wasn't "clean" was an awful idea; SpamHaus hasn't replied to my removal emails either... @jarland I shall go back to mxroute sniff my block

Jonchun

@doghouch said:
I knew that buying a /22 who wasn't "clean" was an awful idea; SpamHaus hasn't replied to my removal emails either... jarland I shall go back to mxroute sniff my block

They wouldn't have nearly as much power if they actually responded to inquiries like that. Providers like CC would just sell off all their IP blocks to their secret acquisitions and effectively "launder" IPs.

doughmanes

I will say the 'non-profit' part is questionable as in their responses, they will say they are doing this on behalf of their 'clients'

Jonchun

@doughmanes said:
I will say the 'non-profit' part is questionable as in their responses, they will say they are doing this on behalf of their 'clients'

Eh I actually have worked with legitimate NPOs (the one I'm thinking of specifically relates to women) and they refer to all the women they help as "clients" although its a completely free program. I wouldn't say its uncommon.

doughmanes

Jonchun said: I wouldn't say its uncommon.

Spamhaus is saving the Internet; "don't worry clients, we're going to save you!"

Read my point in the discussion regarding SBL arm twisting you into a paid SMTP filtering service.

Jonchun

@doughmanes said:
Read my point in the discussion regarding SBL arm twisting you into a paid SMTP filtering service.

Not disagreeing with you in that Spamhaus is trying to twist providers into uncomfortable situations. (There's plenty of OTHER proof of this) Was just informing you that referring to clients for a free/nonprofit service isn't shady/questionable on its own.

jar

doughmanes said: arm twisting you into a paid SMTP filtering service

They're not the only ones, honestly. Microsoft and Verizon are basically doing the same to providers on a regular basis, and IMO those two hold even more cards than SpamHaus does. Recommending it directly and forcing people into it lands on the same scale to me.