Spamhaus Answers Questions

Online marketing expert Ken Magill (magillreport.com) asked Steve Linford of The Spamhaus Project to answer some questions posed by various marketers with whom he talks. There were quite a few questions, some a bit pointed but most with genuine interest in how Spamhaus SBL operates. In this post we’ll begin to answer those questions as best we can.

The Spamhaus SBL is the original zone published by Spamhaus since 2001. The criteria for SBL listing and general policies for SBL have remained essentially unchanged for over ten years, although we have made refinements in the wording of those policies, and of course many improvements in detection and processing of spam. SBL criteria include spam origination, hosting of spammed content, known spam operations and spam support services. In addition to the SBL, Spamhaus also publishes the XBL (spam-bots) and PBL (dynamic IP) lists, and the DBL list of spam domains. In this Q&A discussion based on questions from representatives of various companies engaged in bulk email marketing, our focus is on spam origination SBL listings.

Even within the “spam origination” criteria we find myriad variations which affect both the listing and delisting decisions made by our SBL team members. The spectrum we see is so diverse and situationally dependent that it precludes providing one-size-fits-all answers. The answers in the following discussion are accurate to the extent that we can generalize them, but there are always exceptions, edge cases, and reasons which general answers don’t apply to specific cases.

A few of these questions allude towards, “How much can we get away with before we get listed by Spamhaus?” In Spamhaus’ opinion, the goal of any legitimate marketer should be to send email only to those people who request it and want it. Professional deliverability tools-of-the-trade such as using confirmed opt-in, providing incentive to customers to use their correct address, and paying attention to bounces and engagement will normally keep you off our radar and out of our lists.

So, let’s get on with the Q&A!

1. How can Spamhaus work directly with legitimate marketers when issues arise? Wouldn’t it best serve customers and the overall email industry to resolve issues in good faith, as opposed to staying at arms’ length?

First off, Spamhaus’ loyalty is to our users who do not want to receive spam. We work to serve them.

Next, we already work directly and on good terms with both senders and receivers in the emailing industry. We’re a small organization with limited time and resources, we work directly with ISPs, ESPs, marketers and independent contractors in resolving individual SBL listings on a daily basis, and our time and resources don’t extend much beyond that.

We are members of M3AAWG and we participate in other public and private fora as time permits.

By following well-established practices of email address acquisition and list hygiene, most bulk mailers, including marketers, simply don’t have spam problems and we don’t see them in our search for spam. One of the effects of Spamhaus’ efforts against spam is that legitimate bulk email is better received, both physically and perceptually, by the target audience because it’s not buried in spam. Our efforts are always meant to be in good faith, we do work with the industry, and any distance marketers may feel from us is, we believe, related to their avoidance of using best practices for bulk emailing.

2. How is Spamhaus working with legitimate marketers to improve list hygiene? Do they have a list of ‘best practices’ that they’d ideally like brands to follow that are business friendly (getting that customer email address) as well as good for business (legitimate email address)?

Our Marketing FAQs cover the fundamentals of bulk emailing. While it is a rather old FAQ, we’ve updated it several times and it still provides a solid basis for proper address acquisition and list hygiene.

Some additional ideas we like:

1) Include a “this is not me” link in receipts and other transactional email so that victims of spam sent to a typoed email address can tell the company that the email address was typoed and to stop sending email to it.

2) Send transactional emails and marketing emails from different IPs.

3) Confirm any email address before sending marketing emails to it, or before continuing to send ongoing transactional mail. The receipt can carry the request for a unique opt-in confirmation of, “Would you like to subscribe to our newsletter?”

4) Mail a list frequently enough to retain good customer engagement. Measure that engagement and remove non-engaged customers as appropriate.

5) Be sure to remove and/or suppress addresses which hard-bounce, and correctly manage unsubscribes as well.

6) Once addresses are retired from a list, whether due to unsubscribe, bounce or non-engagement, don’t try to squeeze some unknown value from those addresses by mailing them again.

3. As more retailers offer to “email your receipt” in stores, the problem of mistyped email addresses is likely to increase, and hitting Spamhaus traps will be more prevalent. Is there some way for Spamhaus to “ignore” emails that it gets from retailers when they see a capture event type (like a receipt)? Could they eventually focus instead on ensuring that marketers have good list hygiene by ensuring that the email is no longer mailed 12 months after not activating? Or what would they recommend?

Email addresses used for transactional mail must not be used for marketing email without permission.

Email addresses used for transactional mail must be confirmed if they are to be used on an ongoing basis, even if only for ongoing transactional mail.

Just because someone says an email address is theirs, don’t believe them without confirming it.

Don’t continue to mail to an address just because you mailed to it once before (without confirming it). See Case Study 3 in our March 2013 blog: Problems seen in transactional messages.

Allowing 12 months of spam is not an option Spamhaus is interested in, and our users support us in that.

Typos aren’t just a nuisance to Spamhaus or our spamtraps. When you are collecting email addresses in an environment where typos are common (such as points-of-sale), they result in spamming real email addresses, not just spamtraps. Typos affect not just domains (where we can possibly spot the typo as a typo) but also the username portion of the email address. A typoed username at a commonly-used ISP or company domain with lots of email addresses is very often an active email address of a completely different user. Unsolicited bulk email to live email addresses is precisely what Spamhaus aims to stop.

4. How many different types of spam-traps does Spamhaus monitor, and are some traps more dangerous than others?

Spamhaus investigates many varieties of data including mail received at spamtraps. The variety and permutations of spamtraps are immense. We treat nearly everything about our traps as proprietary information. However, the focus on spamtraps is overblown. While they are a useful tool, they are not the end game of SBL listings. The end game is to not send spam. Avoiding traps is normally not a problem with proper data acquisition and hygiene, and we strongly suggest that senders focus their efforts on those fundamentals rather than be dazzled by the myriad ways that bad data management can go wrong.

Playing evasion games to avoid traps is nearly infinitely more difficult and troublesome than simply practicing good acquisition and hygiene.

5. If hitting spamtraps is the only criterion what is the threshold?

The acceptable level of spam is zero and spamtraps are not our only listing criteria.

6. Does Spamhaus use email addresses that were used to subscribe to mailing lists and then discarded? Do old Yahoo, Gmail addresses become spam traps? How old? Also are they being tracked by Spamhaus?

We maintain many different types of spam traps, and we won’t go into specific details of our traps, so it’s impossible to answer that question directly. Yes, they are tracked by Spamhaus (seems obvious to us, but there it is). We also use many other sources of data beyond traps. What those data sources have in common is our high confidence in their reliability as indicating our definition of spam: Unsolicited Bulk Email.

We would certainly consider it foolish to spam any old address of unknown provenance, and we’ve heard that churn times of addresses at big mailbox providers are typically less than a year.

7. Are Spamhaus listings [ever] based on complaints sent to them?

No, not in the sense of SpamCop reports or Feedback Loops (FBLs). We do not accept spam reports. See: Is there a way to report spam to Spamhaus?

We do investigate spam issues brought to our attention by colleagues in the anti-spam arena, and results of those investigations can lead to an SBL listing when we confirm the problem with our own reliable data.

8. How is Spamhaus certifying an ESP? What is the criteria?

Spamhaus does not certify ESPs. The Spamhaus Whitelist only certifies transactions and individual non-bulk senders, not entire ESPs.

9. When Spamhaus created their whitelist they chose not to permit “marketing of any sort” or permit any company applying who used an ESP. Because Spamhaus is in a uniquely privileged position with their whitelist, they could have helped the email industry with a new standard of trust. Why did they choose not to do this?

There are existing marketing whitelist systems such as from Return Path. We are not interested in competing head-to-head with those other systems. Our vision of the purpose of a whitelist is different than others already available.

Our goal is to identify mail sources so unlikely to send unwanted mail that recipients could totally whitelist them, meaning the messages bypass all subsequent filters including content, heuristic and Bayesian. Most receivers find they can’t do that with marketing mail, even when it is endorsed by other reputation services.

With our limited resources, attempting to verify that a stream of marketing email remains 100% pure over extended time is not feasible.

10. Does Spamhaus believe that email should be delivered to consumers who have opted-in to email marketing from brands?

Yes, of course, but Spamhaus also believes that “brands” should not bother people who have not asked for their marketing mail.

11. How can professional email marketers who wish to get opt-in emails delivered work with Spamhaus and other important providers of spam detection to help ensure spam is not delivered and other communications are?

Bulk mailers should follow all best practices, including list acquisition (opt-in only), list hygiene (bounce processing, engagement, RFC 5321, etc.) and technical standards (headers, content, DMARC/SPF, server behavior and configuration, etc.). Beyond our Marketing FAQ, many technical and educational resources for mailers exist, and implementation of those practices is outside of Spamhaus’ niche. Email industry groups such as M3AAWG provide informational material, for example the Sender’s BCP (ver. 2a) and Vetting BCP.

12. What is their goal with CSS and do they feel their achieving it? Are they catching the “bad guys” so to speak or could it be acknowledged that ‘babies are being thrown out with the bathwater’?

The goal of CSS is to keep pace with snowshoe spammers who are otherwise outrunning existing detect-and-list capabilities. It’s working quite well, thank you, and improving all the time. We’re aware of a very few edge cases where quasi-legitimate mailers were listed. The “quick removals” function of CSS helped them resume delivery, but we hope they re-examine their practices and their lists because in all likelihood they actually have some problems.

13. What trips a CSS listing? Spamtraps?

Our systems’ heuristics trip a CSS listing; it’s automatic. Spamtraps certainly contribute data to our systems, but we don’t publish CSS heuristics.

14. How real-time are the SBL listings? In other words, if you sent something a week ago, could that cause you a listing now, or does it happen from the most recent mail only?

Well, as we stated in the opening of this post, there are so many variables to an SBL listing that a simple answer to that isn’t possible. Our goal is to protect our users’ mailboxes from spam. In general that means that current, on-going spam is more significant than last week’s pile of garbage. But uncollected garbage continues to pile up and attract pests. Requiring the sender to fix last week’s pile of garbage may very well result in less spam to our users’ mailboxes next week. If you made a mistake and sent some spam last week, correcting the problem and not doing it again this week will most certainly reduce your chances of an SBL listing.

15. It’s clear from Spamhaus ‘recent SBL listings’ tracking list that the vast majority of SBLs are related to criminal behavior, most of which involves truly nefarious and malicious activity. It’s also clear from most of Spamhaus ISP ‘users’ that they no longer deliver most ‘spam’ or even ‘bacn’ to the Inbox and their filters are highly customized to identify unwanted messaging from dedicated IP address senders. So why does Spamhaus continue to believe that their resources should be spent blocking legitimate commercial email where there is clearly a larger need to maintain focus on the criminal actors, as well as the diminishing needs by their ‘users’ to block legitimate (ie; dedicated and transparent) commercial emailers?

Background: Working for an ESP, we sometimes get reports that a client has hit a spamtrap owned by Spamhaus. After we vet the account, obtain list origins and determined it’s an account we can help resolve the issue and not a bad actor that got through our self-service filters, we need to understand the best way to proceed. We 100 percent understand the purpose of spamtraps and make sure it is a client we trust doing everything else correctly and maybe just have an old address or a typo mixed in within their list.

What a dissertation of a question! There are quite a few assumptions, guesses, assertions and the like in those statements which we’d have to fully qualify in order to do the question justice. For instance, what is is “bacn”? Perhaps “bacon,” a pork-product many people want? Spamhaus has no such category in its DNSBLs.

Regarding criminal behavior, yes, virtually every SBL listing involves actions which are criminal in many jurisdictions including most of Europe, for example: Spamming.

Since “legitimate commercial email” does not include spam, there is an inherent contradiction in the premise of the question.

Some of our data users do “customize” their filters, as well as use our data in a variety of ways, but that’s not a reason for us to change our data. In fact, changing our data in response to their filters is likely to force them to have to change their filters again, and that’s no help for either us or them.

As far as stopping spam from mainstream brands reaching end-users’ inboxes, we’re glad to offer our assistance to anyone using our data for that purpose, just as we are for any spam.

Ultimately, we find that our users do not want any kind of spam in their inbox, not botnet spam, not mainsleaze spam, not advance-fee-fraud (aka “419″) spam sent essentially “by hand,” not phish, not clubs or churches or associations trying to pad their membership roles; none of it! We also find plenty of shades of gray, from people such as the questioner who had one customer with one bad address to less responsible mailers, and we find that the camel’s nose does not instinctively wish to leave the warm tent, and we find that ignoring the problem doesn’t make it get any better. So, we do what we tell our users we do – we list spam sources. It works for us and our users, and so that is why we do it.

Let’s consider these next four questions as a set due to related issues of web (HTTP) interactions:

16. Can you confirm that spamtraps do not open, click or otherwise show engagement? In other words, if a client does have a spamtrap within their list, would removing or double opting in inactive subscribers help eliminate the trouble address?

Removing inactive addresses might help reduce spam, and re-confirming the list would certainly achieve that result. More about “open” and “click” issues in a moment!

17. Do they open/render images on emails they receive? If so, how would they expect a marketer to distinguish that from real engagement?

We expect marketers to verify the recipient’s permission before they add the address to their list. “Real engagement” would seem to entail some very tangible human action, for instance purchasing a product or service. We reserve the right to view spam messages including any rendering necessary for a person to interpret the content of the message. (Some spam only identifies its advertising content by rendering an image.) We don’t think that viewing a message in any way infers consent to send bulk mail to that address.

18. Ditto for clicks. do they follow any of the links in the emails they receive?

Some of our spamtraps have systems which follow links under specific conditions related to CBL/XBL listings. Some spamtrap messages are reviewed by humans who may manually follow links to further investigate the spam (redirectors, affiliate programs, final landing sites, etc.). Most of our spamtrap systems, including those which primarily detect the sort of ESP/mainstream traffic that most legitimate marketers are engaged in, do not engage any HTTP traffic. We are careful to not follow links for confirmed opt in challenges, and the manual investigations represent a nearly immeasurably small fraction of the total spam we’re investigating, so those web hits are extremely unlikely to affect legitimate ESP metrics on real, valid subscribers.

19. If a marketer is mailing to a purchased list of all actively engaged recipients (opening and clicking their emails regularly), do they still run the risk of hitting spam traps?

First off, a “purchased list” should immediately raise flags. Sale of email address lists is illegal in many jurisdictions and in most cases such sale exceeds any permission granted by the address owners. Selling a list to more than one buyer (thus multiplying the number of lists each address is subscribed to) is well outside our acceptable permission standards.

Consider a pathologic case of a clever spammer with purchased opt-out lists. She could carefully watch which addresses were opened and build a list completely free of non-opening traps. Would that list be legitimate? Would it have the recipients’ permission? Hardly! Opening a message does not confirm permission.

With respect to the above group of questions, the use of web bugs or other techniques not involving intentional consent by the recipient is illegal in the European Union. Marketers have no legal way to know whether one of their messages was viewed by an EU user unless a direct and conscious action to inform them was made by the user (e.g. confirmed opt in). The very act of including a web bug in an email is illegal, let alone interpreting a click on the web bug as an expression of implied consent! Generally speaking, any and all consent requires an active human action. Not even submitting a form with a pre-ticked ‘subscribe’ box on a web site is considered a valid expression of consent: a user has to do the _action_ of turning on the tick before submitting the form. The 9 year old European Commission privacy document has all the basics (i.e., using purchased email lists is illegal, etc).

Another aspect to consider is the actual HTTP function used to gather such information. The GET function is best used only for retrieving information. As any automated function can complete a GET call, it is inherently insecure as a measure of human interaction. The POST function is a better choice for functions requiring a change of state, for example verifying permission. Using the POST function does not expose the per-recipient identifiers to automated collection and, in confirmed opt in, it requires human action to complete the subscription, thus verifying the user’s permission. More information about GET and POST functions can be found on these pages:

http://blog.teamtreehouse.com/the-definitive-guide-to-get-vs-post

http://stackoverflow.com/questions/3477333/what-is-the-difference-between-post-and-get

http://en.wikipedia.org/wiki/POST_%28HTTP%29

20. Does Spamhaus report traps hit immediately? For example, if a long standing client is reported for hitting traps, is it safe to say it was from a recent upload or signups?

If something changed on your end shortly before an SBL listing, it’s probably a good idea to consider that it could be related. But, as mentioned in a prior answer, an SBL could happen any indefinite time period after spam commenced; we might not see or notice the first hits. You should at least take a look for other poor practices on the affected client or list which could have been ongoing prior to the SBL listing. Also, “immediately” in SBL terms could be an hour or a day or three; it’s a manual process and listings don’t occur in the same “real time” sense as XBL or CSS.

21. Besides typo, harvested, purchased, and recycled spamtraps, is there any other way a trap would appear in a client’s list?

It is entirely possible; spammers have been known to be quite imaginative about where they get their addresses. So are we.

E-pending is a bad idea (PDF). We’ve seen offers for a service to build a list based on simply inventing email addresses for given domain names. Dictionary attacks are not uncommon. Waterfalling, contrary to some opinions, does not remove all spamtraps. “Verification services,” while possibly legitimate and well intentioned, still don’t take the step of confirming the address owner’s permission. And ultimately, it’s real user mailboxes which matter most, not spamtraps.

22. What if someone manages to identify a spam trap’s identity and enroll it on a competitor’s mailing list? How lenient is Spamhaus to these issues knowing they exist?

It is not possible to enroll any address in a Confirmed Opt In list without the address owner’s permission, so defending against such an attack is easy and we encourage all list owners to do so. We recognize the difference between confirmation requests and advertising.

We do not reveal trap addresses and have not witnessed the described process as an abuse vector affecting SBL listings (although we have heard of many list problems with forged subscriptions). We hear lots of claims to be able to identify spamtraps but little evidence.

In rare cases where traps have been inadvertently revealed, we burn that trap indefinitely, sometimes permanently, but always until we are confident that the data it produces is reliable and effective.

If you honestly feel that such a situation explains your SBL listing, you may certainly mention it in your removal request, and explain why, but we will still expect strong measures be taken to ensure that no other forged subscriptions are on the list and that it won’t happen again.

Where the rubber meets the road is not spamtraps but real users’ mailboxes, and they can get forge-subbed and list-bombed, too. We have seen–and many of us have experienced–list-bombs where forged subscriptions result in hundreds or thousands of messages in a single mailbox in a few hours. Do you really think any user should be forced to “unsubscribe” from lists they never subscribed to or have any knowledge about?

23. Currently, we understand that typo-traps are being monitored by Spamhaus, but that they are mainly being used to advise marketers on the risks of mailing non-confirmed opt-in. Are there any plans over the next year to increase the blocking frequency and severity on marketers mailing to typo-trap addresses and domains?

As we have done for over ten years, we intend to continue turning the screws on spam, as tight as we are able. While classifying various kinds of traps may offer solace to people who do not adequately control their subscription processes, SBL listings are not based on such artificial distinctions. With all the attention recently given to so-called “typo-traps,” we continue to see marketers hitting many other types of emails address: long-dead accounts, purchased lists, their own suppression lists, other people’s suppression lists, addresses seeded into various systems to catch e-pending and other address dissemination, message-IDs, and just complete nonsense delivery attempts where we are not sure how the marketer botched their list.

Again, all the emphasis on spamtraps is rather misplaced. While traps are one way to detect spam problems, the goal of legitimate mailers should be to only send to fully opt-in subscribers, not simply to avoid spamtraps. If only spamtraps received spam and user mailboxes were completely free of it, Spamhaus would have no reason to exist.

24. Can you confirm that Spamhaus has a lower tolerance for newly allocated domains and IPs?

Reputations, good and bad, are built over time. Experience has shown us–as well as the receivers we talk to–that giving “benefit of the doubt” to newcomers in the bulk mailing world is a proposition bound to perpetuate spam, so reputations tend to start out poor before they become neutral or good. Consider why snowshoers change domains and IPs so often.

25. Based on a sender’s business model, reaching out to their customers every 2, 3, or even 4 years may be necessary or applicable business practice. (example: purchasing a new car, TV, kitchen appliance). If this is necessary business practice, how can a sender do this safely without risking hitting too many traps?

Snail mail! The average life-expectancy of an email address is around six months*, so for many consumer applications such as those examples, email is unlikely to be a reliable channel. Other practices which would help would be COI and more frequent engagement mailings. We are aware of lists, even fairly large ones, which mail at low frequencies yet experience normal delivery, but those tend to be professional interest lists where subscribers are more comfortable providing such long-term personal info. Also, keep in mind that with truly low sending rates, the odds of those mailstreams coming to our attention are greatly diminished.

*Off-hand word-of-mouth for many free webmail accounts.

26. What qualifies a domain for listing on the DBL? How is this different from listing the sending IPs instead on the SBL or CSS lists.

DBL listing is an automated process based on our proprietary heuristics. We can also make manual listings based on our investigation but those are a tiny fraction of the DBL zone. Filtering based on IPs and domains, as opposed to just one or the other exclusively, provides our clients with better protection against spammers who change either domain or IP, or both.

27. What business hours do Spamhaus employees work? Or, what is the best time to reach out to Spamhaus?

There are Spamhaus people all around the world, they do Spamhaus work as their schedule permits, and someone is always on watch, 24-7-365. It’s been like that for over ten years and that remains into the foreseeable future. We generally respond to SBL removal requests within 24 hours, and email is how to reach us for that.

28. Will Spamhaus ever engage in a phone-call with Marketers?

The Spamhaus team communicates and collaborates via email, and that’s also the way we prefer to be contacted. All SBL listings are resolved exclusively by email. That gives us and you a written trail of what is said, and it allows the SBL team to monitor and review its work.

29. What information must be collected in order to provide evidence that a subscriber opted in to receive a commercial email?

Most systems log email address, connecting IP, timestamp, and origin of the subscription (where the address was collected). Name and other personal info may also be collected. That’s all good for your own use, but all such evidence can also be forged so it really doesn’t help in resolving an SBL. Besides, we understand that you may not be able to share private information. The important thing to show us is not the historic logs, although they might help in some case, but a documented process of address acquisition, for example a process where we could confirm a subscription for our own test address.

30. If an ESP sends mail for multiple clients on a shared range of IP addresses and uses a shared sending domain, what is the best way to work with Spamhaus to resolve a block listing issue for an offending client while maintaining service for the rest of the clients on the range?

…and…

31. If an ESP sends mail for multiple clients on a shared range of IP addresses and the sending domain for each is a separate sub-domain, what is the best way to work with Spamhaus to resolve an issue for an offending client while maintaining service for the rest of them?

In both cases, read the SBL listing first to understand the problem, then contact SBL-removals as soon as possible to explain the situation. We know about mixed mailstream IP ranges, and if you’ve suspended the problem part of the stream so that our users won’t get the spam (including clearing your outbound mail queue) we can usually work with you to quickly resolve the listing. Of course, we expect the spam to stay stopped (that may entail a wide range of solutions).

As far as sending domains, whether shared or subdomains, provide all the transparency you possibly can up front, publicly. Domain whois records identifying the sender, proper rDNS, fDNS resolving back to your IPs, and IP whois records reflecting your control of the range are good indicators of responsibility.

32. Is there any risk to having multiple, separate sub-domains of a single parent domain, each sending mail for different clients or are the domains treated entirely separately? (ex: branda.maindomain.com, brandb.maindomain.com, brandc.maindomain.com)

We’d rather see that pattern than “domain1.com, domain2.com, domain3.com,” (or abc.com, zyx.com…) which is more typical of snowshoers attempting to evade filters. It’s more transparent to the outside world and easier for you to maintain “abuse@maindomain.com” than separate abuse accounts at every different domain. It’s a good way to convey in rDNS what is really happening within your network in terms of different customers sending different mailstreams. The risk is that “maindomain.com” may get filtered if too many subdomains look bad, but that needs to be a risk you accept and manage by maintaining the reputation of all subdomains. Not accepting such a risk begins to look like bad guys trying to evade. Ultimately, building reputation on one domain (even one with many subdomains) is easier and stronger than building reputation on many domains.

33. Are blacklistings all done by humans or are some automatically triggered by the receipt of *any* emails to an address? In other words, does the *content* or *purpose* of the message matter at all, or is it simply the fact an email was received? And if it is reviewed, are there formalized criteria for this evaluation?

The term of our industry is “block listings.” We list CIDR blocks of IP addresses, which in turn can be used to block spam.

SBL and PBL listings are made by humans. XBL and CSS listings are automated.

The content or purpose of the email is not a criteria for an SBL listing (it’s about consent, not content) however any bad content can only make things worse for the sender. For example, if we see hashbusters, forging or other obfuscation techniques only used by spammers, that tells us that the spam is intentional, and then we’re unlikely to settle for list-hygiene sorts of remediation. Those sorts of spammers should be terminated, preferably with release of all known information about them.

34. Do they collaborate with other blacklist providers? E.g. is it possible to get listed (or a listing escalated) within Spamhaus because of hits elsewhere or visa-versa?

As stated above, we review many sources of data in researching SBL listings. A bad public reputation at a reliable reputation service provider is a piece of data we consider, but it alone or in combination with other third-party data would not be enough for an SBL listing. We need to see our own evidence of SBL criteria.

We do not give permission to anyone to republish our data without the express, formal consent with our DNSBL Usage Terms. Such republishing involves filter vendors who use our data in building their proprietary product, differentiated from our DNSBLs.

We may, at times, import data into our zones from other sources which have met our strict review for quality, under mutual agreement with the data producer. An example of that was the NJABL open proxy list imported into our XBL zone. NJABL-sourced data produced a different response code to DNSBL queries than CBL-sourced data. NJABL has gone out of production and is no longer included in XBL.

35. Are decisions to blacklist made by any of the volunteers? Is there a QC or review process internally?

Each member of the SBL Team has full authority over addition and removal of IP ranges in the SBL zone. The entire team has oversight of the removal dialogue and discussion is common among the team. Discussion is required before major SBL listings such as escalations are made. Quality control is a routine, ongoing, daily process; that’s how we keep our reputation.

Again, the proper term is “block list” or simply “list.”

36. Why do they sometimes just list the offending IPs, but other times appear to name and attack specific marketing brands?

SBL investigations involve many aspects of a spam situation. Some situations require listing IPs related to the “marketing brand” (which normally means the party which paid for the spam) to take more effective actions to permanently stop recurring spam problems rather than simply listing the sending ESP. “Marketing brand,” in that case, means the corporate website (or other IP assets) of the spam payload; they’re the ones who are endorsing the technique and benefiting from the use of spam marketing.

37. What do they say to claims they are unfairly targeting legitimate marketers?

Legitimate marketers don’t send spam. A list of spam-related IPs is not unfair to spam recipients. We don’t even think it’s unfair to spam senders, although we know they don’t like it. Marketers and mailers who don’t spam should have no problem with us.

38. What’s their opinion of list rental or other one-time *opt-in* offers to an email address?

Provided that the subscribers to that list really did give their permission to receive such offers (which can be a big assumption in some cases, but true in others), and that possession of the addresses doesn’t change hands (that would be list selling, not list renting) that’s no problem with us.

On the other hand, if permission is not granted, then the proverbial ‘one bite of the apple’ is still spam.

A common problem in list rental scenarios is misleading subscriber’s expectations. While the resulting mail might not be spam (addresses could even be confirmed) the unexpected contents can lead some recipients to report the messages as spam. Spamhaus does not accept spam reports but those reports could affect other reputation systems.

39. Typos & errors happen. What thresholds is Spamhaus using to avoid accidental listings and/or what can marketers do to avoid?

The acceptable level of spam is zero. To avoid typos, use confirmed opt in. Other errors require other tools: bounce processing, aging out stale data, engagement and other deliverability tools and strategies keep most bulk mailers off our spam radar. Good intentions are nice but bad practices are the reason for SBL listings.

40. Could they imagine cooperating with the DMA and if so, what would that look like?

The DMA (the one in the USA) has advocated the sending of unsolicited bulk email (aka “spam”), a practice which is contrary not only to Spamhaus’ task and the wishes of our many users but is contrary to the MAAWG Sender Best Current Practices for the email marketing industry and is against the terms and conditions of nearly all Internet providers on the planet. Spamhaus wants users of email to receive the messages they have requested, and to not have to have them lost in their inboxes amongst thousands of other messages that they haven’t requested. Savvy marketers see us as allies, keeping inboxes clean so their solicited messages don’t get lost in the deluge of spam. When the DMA accepts that unsolicited bulk email is a plague and stands solidly behind anti-spam best practices, then we’ll be in cooperation.

41. What can hosting networks do to get off Spamhaus? I run abuse for a hosting provider in the US. We’ve had our share of SBL and XBL listings, and have responded by tuning in to feedback loops and aggressively removing customers who trigger listings and complaints. We also thoroughly vet new customers using a credit card fraud service as well as telephone verification, captchas, and other techniques. With all this being said, the problem is that mail still flows out of our customers’ servers (which we don’t control, because they are dedicated and VPS servers). How can we block the spam proactively? Is there a way that Spamhaus could send us feedback data other than a blacklisting? Can anyone else help with this?

Those all sound like appropriate steps for the hosting ISP environment, and they’re among the suggestions in our ISP Spam Issues FAQ. We understand that spammers can be sneaky and hard to prevent. SBL listings are narrow in well-run hosting ISPs, where troubles are minimized with practices as mentioned and problems fixed promptly once identified. Once spam starts flowing, though, it’s too late for warnings. We need to protect our users. Work with the SBL Team to get SBLs resolved as soon as possible. Thanks for your diligence to prevent spam to the best of your ability, we know Abuse@ can be a tough job.

42. What is the risk of a single “typo” email record? If the record is mailed once, but not ever again, is that enough to get listed? Is it true that a sender will get a warning first, and then if non active records are mailed again, that is when the block is placed? (If a person submits their email address, how can a marketer know if it’s good if we don’t mail it at least once?)

SBL listings are not made for truly transactional messages (even misdirected ones) or confirmations, so no, a single typoed message won’t result in an SBL. On the other hand, a big enough stream of such messages directed at an appropriate receiving detector could appear to be a dictionary attack or similar, and it might well be such. An SBL listing would be appropriate in that case.

A single message from a “spam-bot” (an infected computer or device sending botnet spam) can result in an XBL listing. It is unlikely but not impossible that an ESP or other dedicated mail IP could become infected with a spam-bot. If that happens follow the instructions linked from our Blocklist Removal Center (including subsequent pages), fix the problem, then remove the XBL via the web.

Spamhaus sends notifications at the time of an SBL, but not warnings before it. No one warns us before they start spamming.

43. Do Spamhaus volunteers take “complaints” from other people, or are they only identifying “bad actors” based on personal receipt of a message?

44. How many volunteer complaints are required to flag a sender? (One? Ten?) Is this tracked at the individual level or just total? For example, one volunteer who complains five times counts as one or five?

Spamhaus neither solicits nor accepts spam reports (complaints). Our spam experts research many different sources of information including both live and trap addresses as well as other many other streams of data. Out of the billions of connections and hundreds of millions of spam messages we accept past DATA, we really don’t see spam as a single digit problem.

45. Would Spamhaus support a reconfirmation (COI) program only for non-active records? (All active records would not be reconfirmed.) How would Spamhaus define “active” for this purpose.

We encourage COI for initial address acquisition and we also support it to remediate some problem lists. Subscribers should have already confirmed their opt-in status at time of acquisition or via engagement such as actually buying a product. Simply opening a message does not inherently demonstrate permission, but active participation (purchase, discussion, etc) might. Bounces and unsubscribes must be fully processed before such a permission pass. If a list is tainted by a bad import segment, then such segments should be removed. Finally, after the list is brought up to good hygiene standards, a permission pass (COI) can validate the remaining subscribers. Hopefully it goes without saying that there should be good reason to believe the list had a bona fide “opt in” provenance to begin with, and was not simply some compendium of things that looked like email addresses scraped together from dark places where hucksters hide.

In exceptional cases where the provenance of the list was particularly reputable, we have heard of as many as three confirmation passes to build full engagement of would-be subscribers. We even blogged about this back in 2008.

46. I’m wondering how to get the Spamhaus Whitehat Network-label, what are the requirements?

Whitehat Star images are displayed when ISPs–with direct IP allocations from the RIR–have no SBL listings on their network and our SBL Team agrees that the ISP demonstrates stellar Abuse@ handling including both proactive and reactive spam prevention. An example of it is visible here.

47. If a mailer feels they have a legitimate dispute to an SBL listing, does Spamhaus act as Judge and Jury, or is there an independent arbitrator? If not, why not?

The Spamhaus team has always provided sufficient internal checks and balances to satisfy our users. They have always been the “independent arbitrator” of our listings and listing policies.

48. Is your goal to shut down all non-double-optin commercial email, or just spammers? Based on how Spamhaus treated Gap Brands, it seems like the former.

We just want to stop spam. Our goal is to prevent our users from receiving spam. We do find that COI is a valuable tool in that regard and we hope Gap Brands and other senders also find it to be more valuable than spamming.