Products Downloads Prices Support Company
Witch Hunt
   


The great spam witch hunt.

Here follows a sad tale of the modern day witch hunt for 'spammers' and the damage done by the many enthusiasts trampling over innocent bystanders in their rush to stop spammers.

We were contracted to setup a web based mail facility called "Another.com" which provides web based email facilities with vanity domain names (10,000 domains) and a hundred thousand users or so, it includes many neat features which are not relevant to our story.

Email systems is what we do - we write and sell mail server software - so setting up this sort of system normally provides no difficulties. But this one was different. The first sign of trouble was the incoming mail load was 100-200 connections a second. At least an order of magnitude higher than one would expect for the number of users. No problem - SurgeMail is very scalable and adding a filter machine to handle this load was no problem.

A large part of the incoming load was bounces from other mail systems to messages we had not sent, curious but not too odd. The way this arrises is as follows: Spamers have to put a from address on the messages they send otherwise they are not accepted - if they put their own from address people use filters to block the email - so they put down other peoples addresses, or just make up names but attach them to a valid domain name.

Now the problem started to make sense, this server had 10,000 domains on it, so if someone made up random email addresses the chances of the bounce hitting our server was 10,000 times higher than average.

So it looked like we had to handle the load caused by other systems bouncing spam we didn't send. We then protect another.com users from these bounces. All under control or so we thought.

But then suddenly another.com users could not send email - our servers had been blacklisted by the spam police. But why would they blacklist these servers when the servers in question were not sending out spam and were not open relays etc? It seems if your host is listed in the received headers, then you are assumed to be guilty. And this particular spammer always forged the received headers so the message would 'look' like it was genuine.

The forgeries were very easy to spot, no human would be fooled, but the robots that analyze spam headers took the bait and instantly blacklisted our addresses. So, no problem we thought, lets email the black list administrators and explain the problem and they will remove us from the blacklisting database.

The conversations generally went like this.

  • Us: Why did you blacklist our site.
  • BLACKLIST: Because your users are sending spam, here is an example.
  • Us: That didn't come from our servers or users, the headers are clearly forged.
  • BLACKLIST: No they are not,
  • Us: Yes they are, see here...
  • BLACKLIST: No you are the spammer.
  • Us: No we aren't, Please look at the headers, see....
  • BLACKLIST: Oh whoops, you are right, terribly sorry.

The annoying thing was that a week later the cycle would repeat. Again and again. Often it would take a surprisingly long time to find someone who would actually look at the headers or understand them, how do people work in spam abuse departments without a basic understanding of email headers?

We found a simple solution, we split the incoming and outgoing mail servers so they used different IP addresses, then it didn't matter to us if someone blacklisted our 'incoming' servers because they are not used by our clients to send email. (The mx records used by the spammer to generate his forged headers are really for incoming messages and not actually related to outgoing email)

All under control - or so we thought. :-)

We had underestimated the zeal of the anti spam zealots. Suddenly our DNS entries disappeared. This is nasty, our domain name, our web site, our email, all vanished. We are a totally internet based business, you can imagine this was a nasty shock! We had been deleted from the internet!

But why would the registry service do this, surely these would be real experts - they would know about email protocols and forged headers - they wouldn't just take action based on false accusations. But they did and when we pointed out their error, did they appologize, no! They said if we didn't stop the complaints they would disconnect us again without warning and without compensation.

So we moved to another registry service, assuming that the first one was badly run. Two weeks later our domain vanished again, we were mortified, again we explained the headers, again they reluctantly admitted we were right, but didn't appologise and told us to move on or be permanently deleted. So then we had to host our own DNS server just to avoid this stupid issue.

All well and good. Until last month, when one of our machines vanished off the internet, it turns out our ISP had contracted a new specialist spam abuse company. Again we explained the header forgeries and asked for our server to be turned back on. They told us we were spammers and they would turn the server off again if we didn't stop the spam.

After 2 weeks we eventually convinced them that we were not sending the spam but they still wanted the spam to stop and insisted we stop it somehow or risk further discontinuation of service. (I'm not joking, they wanted us to stop the spammer forging our addresses!)

We were righteously indignant, it didn't help. We suggested it was morally dubious for 'our' ISP to discontinue service to us because of a third party spammer, it didn't help. We suggested we were a valued customer, it didn't help.

Although the real professional services like spamcop have now recognized the problem and stopped listing our servers, there are many other black list services which are not so well run. Some of these not only block the IP that they think is sending spam but any nearby IP address, the logic for this to punish ISPs that host spammers by hurting their other customers. But although this bothers almost no real spammers, it causes endless problems for the many innocent businesses it affects.

We have now moved our servers to three different ISP's and expect at any time to find one or more of the servers turned off. We are still looking for an ISP that is brave enough to stand up to the black lists and make them correct their mistakes.

So lets just recap; A spammer forges our IP address and our domain is deleted, our servers are turned off and the ISPs hosting us don't care in the slightest that we are innocent. This cycle happens again and again.

Does this mean that if you want to attack a company and get it deleted from the internet, all you have to do is send forged spam from their domain, apparently yes!

So what should 'you' do to avoid such problems. Well you can make sure everyone you know understands that only the top Received header in a spam message is totally trustworthy, all others can be forged. You can help to stop the spammers forging your addresses or other peoples by adding SPF records for your own domains and installing a mail server that can obey SPF records, ideally one like SurgeMail (hey we're not biased) which can apply SPF even for domains which don't have SPF records yet.

If you know of an ISP that has a bit of back bone and has reasonable charges for high volume internet usage, please let us know so we can move our servers and start sleeping at night.

See this page for more information on SPF https://netwinsite.com/spf.htm

See this page for updates to this story https://netwinsite.com/press/witch.htm

Contact: Chris Pugmire
e-mail: chrisp@netwinsite.com
URL: https://netwinsite.com